@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
January 17, 2013=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 03
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 1/10/2013 - 1/16/2013
============================================================TOP VULNERABILITY THIS WEEK: A 0-day was discovered in Java by researchers who saw it being used in several distinct exploit kits. While Oracle has released a patch, which includes requiring users to click an applet to run it by default, US-CERT has advised everyone who does not need Java to disable it in their browser immediately.
============================================================TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
Champions.
http://www.sans.org/event/security-east-2013
- --North American Industrial Controls Systems and SCADA Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The only technical security and training program in ICS security - for
program managers, control systems engineers, IT security professionals
and critical infrastructure protection specialists from asset owning and
operating organizations along with control systems and security vendors
who have innovative solutions for improving security. Every attendee
leaves with new tools and techniques they can put to work immediately.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID
(smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013
- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click Is All It Takes ...; Human Nature and Information
Security: Irrational and Extraneous Factors That Matter; and
Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013
- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
============================================================NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Java 0-day attack exploited in the wild
Description: Researchers last Thursday discovered a 0-day attack against
the latest version of Java being exploited in the wild by a series of
exploit kits, with owners of multiple kits claiming responsibility for
having added the attack to their kit first. After US-CERT released an
advisory recommending that anyone who does not use Java regularly
disable it immediately, Oracle issued a patch on Sunday, which included
a change to Java's security settings that would require users to click
on an applet to allow it to run. While experts are praising that
settings update as a proactive defensive mechanism, researchers from
Immunity on Monday noted that the patch issued by Oracle - while
effective against attacks currently in the wild - did not completely
resolve one of the underlying issues with this bug, leaving the door
open for further attacks in the future. The VRT strongly recommends
following US-CERT's guidance on the issue and disabling Java if
possible, while being vigilant on patches if it must be left enabled.
Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
http://vrt-blog.snort.org/2013/01/generic-exploit-kit-detection-first.html
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html
Snort SID: 25041, 25042, 25301 25302
ClamAV: Java.Exploit.Agent-14 - Java.Exploit.Agent-16
Title: Ruby on Rails vulnerability could be largest server-side web bug in years
Description: A pair of remotely exploitable vulnerabilities were
discovered in the popular Ruby on Rails web programming framework last
week, one of which allows for code execution in default installations
with the permissions of the application running Rails code. While
estimates on the number of vulnerable sites vary, experts agree that
number could easily be north of 1 million systems, making this one of
the most widespread server-side exploits in years. An official patch has
been issued (including a patch for the popular Metasploit framework,
which was itself vulnerable), and system administrators are urged to
patch immediately, as exploits are known to be circulating in the wild.
Reference:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
http://vrt-blog.snort.org/2013/01/the-ruby-on-rails-vulnerability-that.html
http://blog.sourcefire.com/Post/2013/01/09/1357761360-therubyonrailsvulnerabilitiesofwhattheyareandwhatshouldwedo/
Snort SID: 28287, 25288
ClamAV: N/A
Title: Anonymous takes down MIT sites after suicide of Aaron Swartz
Description: Well-known activist Aaron Swartz, while awaiting trial on
charges related to allegations that he had made publicly available the
entire subscription-only section of the JSTOR database of scholarly
journals and a large section of copyrighted documents at MIT, took his
own life last Friday. Amid allegations that he was driven to suicide by
overly zealous prosecution, Anonymous defaced several MIT sites in a
show of support for Swartz and his crusade for online openness, and a
petition has surfaced to remove the federal prosecutor handling the case
for being overly zealous in his prosecution. The case raises questions
about copyright prosecution in the 21st century, particularly in light
of the fact that Swartz was facing a 35-year sentence even after JSTOR
had asked the federal government to drop its prosecution and allow them
to pursue civil action instead.
Reference:
http://www.washingtonpost.com/business/technology/anonymous-hacks-mit-sites-to-post-aaron-swartz-tribute-call-to-arms/2013/01/14/ff6f706c-5e44-11e2-9940-6fc488f3fecd_story.html
http://pastebin.com/PKm921c9
http://news.cnet.com/8301-1023_3-57563752-93/anonymous-hacks-mit-after-aaron-swartzs-suicide/
Snort SID: N/A
ClamAV: N/A
Title: Researchers discover "Red October" worldwide cyber espionage campaign
Description: Kaspersky Labs released a major report this week on a
highly sophisticated, long-term malware campaign designed to infiltrate
diplomatic circles and collect data valuable to both state and private
actors. According to their analysis, which has held up well to scrutiny
from independent researchers, the campaign has been running since at
least 2007, and includes Chinese-created exploits and malware code from
Russian-speaking engineers. The malware was delivered via highly
targeted spear phish, and used a variety of exploits in MS Office and
other file formats to break into victim machines. While the total number
of infected hosts was low, this discovery helps to highlight the extreme
danger high-profile organizations face from online espionage in the
modern era.
Reference:
http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation
Snort SID: 17597, 21902, 22101, 25392-25447
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Computer scientists find flaw in Cisco VoIP phones:
http://www.eurekalert.org/pub_releases/2013-01/cu-csf010713.php
Minion - automating security for developers:
https://air.mozilla.org/minion-automating-security-for-developers/
Snapshot of Virut botnet after interruption:
http://www.symantec.com/connect/blogs/snapshot-virut-botnet-after-interruption
Nokia: Yes, we decrypt your HTTPS data, but don't worry about it:
http://gigaom.com/2013/01/10/nokia-yes-we-decrypt-your-https-data-but-dont-worry-about-it/
GET-PEB: A tool to dump the Process Environment Block (PEB) of any process:
http://www.exploit-monday.com/2013/01/Get-PEB.html
I/O you own: Windows 8 update:
http://blog.crowdstrike.com/2013/01/io-you-own-windows-8-update.html
Yahoo DOM XSS:
http://www.offensive-security.com/offsec/yahoo-dom-xss-0day-prevails/
The future of protocol reversing and simulation applied on ZeroAccess botnet:
http://events.ccc.de/congress/2012/Fahrplan/events/5256.en.html
Black Hole Exploit Kit author's 'vertical market integration' fuels growth in malicious web activity:
http://blog.webroot.com/2013/01/08/black-hole-exploit-kit-authors-vertical-market-integration-fuels-growth-in-malicious-web-activity/
Private market growing for zero-day exploits and vulnerabilities:
http://searchsecurity.techtarget.com/feature/Private-market-growing-for-zero-day-exploits-and-vulnerabilities
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: : CVE-2013-0422
Title: Oracle Java SE Security Bypass Vulnerability
Vendor: Oracle
Description: Unspecified vulnerability in Oracle Java 7 Update 10 and
earlier allows remote attackers to execute arbitrary code via unknown
vectors, possibly related to "permissions of certain Java classes," as
exploited in the wild in January 2013, and as demonstrated by Blackhole
and Nuclear Pack.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-4792
Title: Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
6 through 8 allows remote attackers to execute arbitrary code via a
crafted web site that triggers access to an object that (1) was not
properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo
object, and exploited in the wild in December 2012.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2013-0156
Title: Ruby on Rails XML Processor YAML Deserialization Code Execution
Vendor: rubyonrails.org
Description: active_support/core_ext/hash/conversions.rb in Ruby on
Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x
before 3.2.11 does not properly restrict casts of string values, which
allows remote attackers to conduct object-injection attacks and execute
arbitrary code, or cause a denial of service (memory and CPU
consumption) involving nested XML entity references, by leveraging
Action Pack support for (1) YAML type conversion or (2) Symbol type
conversion.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-6066
Title: Freesshd Authentication Bypass
Vendor: freesshd.com
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote
attackers to bypass authentication via a crafted session, as
demonstrated by an OpenSSH client with modified versions of ssh.c and
sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-0202
Title: IBM Cognos TM1 Buffer Overflow Vulnerability
Vendor: IBM
Description: Multiple stack-based buffer overflows in tm1admsd.exe in
the Admin Server in IBM Cognos TM1 9.4.x and 9.5.x before 9.5.2 FP2
allow remote attackers to cause a denial of service (daemon crash) or
possibly execute arbitrary code via crafted data.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST POPULAR MALWARE FILES 1/3/2013 - 1/9/2013:
COMPILED BY SOURCEFIRE
SHA 256: E82A4FCAC5871ADF5516A2E3DE312EF135537A51EDC3F2E379B68C6AE90961DD
MD5: fe2eb24e6bd36b8be3869ece85aa72bc
VirusTotal: https://www.virustotal.com/file/E82A4FCAC5871ADF5516A2E3DE312EF135537A51EDC3F2E379B68C6AE90961DD/analysis/
Typical Filename: 00000004.@
Claimed Product: 00000004.@
Claimed Publisher: 00000004.@
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: mjomn.sys
Claimed Product: mjomn.sys
Claimed Publisher: mjomn.sys
SHA 256: E473A10CEE73DE92042E2ED8E2C12F0BB2B923A44A583E96A37FA9C4D2CFC21C
MD5: 80aebc81a5d1eb392bd7c615a779918c
VirusTotal: https://www.virustotal.com/file/E473A10CEE73DE92042E2ED8E2C12F0BB2B923A44A583E96A37FA9C4D2CFC21C/analysis/
Typical Filename: 00000008.@
Claimed Product: 00000008.@
Claimed Publisher: 00000008.@
SHA 256: 2FB8D429AD85AE810AB4605BFDE78CCA8053A512D6C85B179395725BAE96E199
MD5: 543b96731b80fc30a7583bd22cd0d567
VirusTotal: https://www.virustotal.com/file/2FB8D429AD85AE810AB4605BFDE78CCA8053A512D6C85B179395725BAE96E199/analysis/
Typical Filename: tchcsy.exe
Claimed Product: tchcsy.exe
Claimed Publisher: tchcsy.exe
SHA 256: B73E0A5620E689856ED7EE95387FDB7EBF6D66D1373664AC58B10094CD20318F
MD5: 54ed1955edb126599e3814b6e251bca6
VirusTotal: https://www.virustotal.com/file/B73E0A5620E689856ED7EE95387FDB7EBF6D66D1373664AC58B10094CD20318F/analysis/
Typical Filename: 80000000.@
Claimed Product: 80000000.@
Claimed Publisher: 80000000.@
(c) 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
