@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
March 7, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
March 7, 2019 - Vol. 19, Num. 10
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 1 - 7
============================================================
TOP VULNERABILITY THIS WEEK: Attacks pick up on vulnerable Cisco SOHO routers
*********** Sponsored By NETSCOUT Systems, Inc. ***********
"Maximizing SOC Effectiveness and Efficiency with Integrated Operations and Defense" John Pescatore, SANS Institute, joined by Arabella Hallawell, NETSCOUT, will talk with security managers about how the most commonly cited barriers to improving security operationsincluding lack of budget and lack of staffcan be overcome. Register: http://www.sans.org/info/210995
============================================================
TRAINING UPDATE
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS Munich March 2019 | March 18-23 | https://www.sans.org/event/munich-march-2019
-- SANS Secure Canberra 2019 | March 18-23 | https://www.sans.org/event/secure-canberra-2019
-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019
-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, ASUS Chromebook C223NA or Take $250 Off with OnDemand or vLive training. Offer ends March 20.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Don't Miss "Overcoming Obstacles to Secure Multi-cloud Access" with John Pescatore and Rajoo Nagar. http://www.sans.org/info/211000
2) SURVEY: Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211005
3) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211010
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco patches critical vulnerabilities in RV series of routers
Description: Attackers are carrying out attacks on Cisco small and home office routers after the company patched a critical bug in its RV line of routers. The vulnerability bypasses authentication procedures, allowing attackers to go after routers remotely over the internet. Affected models include the Cisco RV110, RV130 and RV215.
Reference: https://www.zdnet.com/article/hackers-have-started-attacks-on-cisco-rv110-rv130-and-rv215-routers/
Snort SIDs: 49296
Title: 19-year-old WinRAR vulnerability finally patched
Description: A micropatch released last week fixes a 19-year-old vulnerability in WinRAR that could allow an attacker to obtain remote code execution privileges. The bug, CVE-2018-20250, could allow an attacker to completely take over a target machine by tricking a user into opening a specially crafted, malicious archive. The latest WinRAR update completely removes support for ACE archives to protect users from this vulnerability.
Reference: https://www.bleepingcomputer.com/news/security/19-year-old-winrar-rce-vulnerability-gets-micropatch-which-keeps-ace-support/
Snort SIDs: 49289 - 49292
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Dow Jones list of 2.4 million people who are considered high-risk leaked after a company left the list on a database without a password.
https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/
New reporting pulled the curtain back on Facebooks massive effort to sway privacy policies across the world by influencing politicians.
https://www.theguardian.com/technology/2019/mar/02/facebook-global-lobbying-campaign-against-data-privacy-laws-investment
Thailand passed a new law that many are considering martial law on the internet and could allow the countrys military to make its own cyber laws in urgent cases.
https://www.reuters.com/article/us-thailand-cyber/thailand-passes-internet-security-law-decried-as-cyber-martial-law-idUSKCN1QH1OB
The popular cryptocurrency miner Coinhive is shutting downbut not over security concerns.
https://www.theverge.com/2019/2/28/18244636/coinhive-cryptojacking-cryptocurrency-mining-shut-down-monero-date
The Chinese hacking group APT40 repotedly carried out multiple cyber attacks on different countries in an effort to bolster their Navy.
https://www.infosecurity-magazine.com/news/chinas-apt40-group-stole-navy-1-1/
U.S. Cyber Command carried out an offensive cyber attack against a well-known Russian troll farm on the day of the 2018 midterm elections in the U.S.
https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html?utm_term=.1b697505f7c9
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2018-1999002
Title: Jenkins Arbitrary File Access Vulnerability
Vendor: Jenkins
Description: A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java. Successful exploitation of this issue could lead to read or write arbitrary files on the affected device's filesystem, which may aid in further attacks.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: CVE-2018-19519
Title: Tcpdump Buffer Overflow Vulnerability
Vendor: Tcpdump
Description: A stack-based buffer overflow vulnerability exists in the print_prefix function of print-hncp.c via crafted packet data. An attacker can exploit this issue to execute arbitrary code in the context of an affected system.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
ID: CVE-2019-6340
Title: Drupal Remote Code Execution Vulnerability (SA-CORE-2019-003)
Vendor: Drupal
Description: A arbitrary PHP code execution is possible due to a lack of data sensitization in certain field types linked to non-form sources. Successful exploitation of this vulnerability will lead to arbitrary PHP code execution.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2018-19107
Title: Exiv2 Denial of Service Vulnerability
Vendor: Exiv2
Description: A vulnerability was found in Exiv2 0.26 (Image Processing Software). This affects the function Exiv2::IptcParser::decode of the file iptc.cpp (called from psdimage.cpp in the PSD image reader). A heap based buffer over-read caused by an integer overflow could result in a denial of service via a crafted file.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
ID: CVE-2018-20122
Title: Fastweb Fastgate Remote Code Execution Vulnerability
Vendor: Fastweb
Description: A remote code execution vulnerability exists in the executable "status.cgi" binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-7238
Title: Nexus Repository Manager3 Remote Code Execution Vulnerablility
Vendor: Nexus Repository
Description: The Nexus Repository Manager fails to implement Access Controls properly which leads to remote code execution vulnerability. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary Java code on the system.
ID: CVE-2018-20250
Title: WinRAR Arbitrary Code Execution Vulnerability
Vendor: RARLAB
Description: RARLAB WinRAR is prone to a Arbitrary Code Execution Vulnerability. This issue arises due to parsing of crafted ACE and RAR archive formats. Successful exploitation could allow an attacker to arbitrary code execution in the context of the current user.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2018-20250
Title: Cisco Routers Management Interface Remote Command Execution Vulnerability - (cisco-sa-20190227-rmi-cmd-ex)
Vendor: Cisco
Description: A vulnerability exists in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
PS - Exploit for this vulnerability is not available yet.
=========================================================
MOST PREVALENT MALWARE FILES March 1 - 7:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: dfe2fcb006df972edf4f8e721bab26cfec809768a0bfbccf5fc661b6ea85dba9
MD5: b860cf8c4cb5dc676ef4893a704c9f8d
VirusTotal: https://www.virustotal.com/#/file/dfe2fcb006df972edf4f8e721bab26cfec809768a0bfbccf5fc661b6ea85dba9/details
Typical Filename: MyMapDirections-14900991.exe
Claimed Product: IEInstaller
Detection Name: W32.Auto:dfe2fc.in03.Talos
SHA 256: 3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56
MD5: b6ca0e72b072f40f5544b9fd054d6ed1
VirusTotal: https://www.virustotal.com/#/file/3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56/details
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: Auto.3573BF7429.Sbmt.tht.Talos
SHA 256: d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0
MD5: d8461f2978de84045e7ad6bea7a60418
VirusTotal: https://www.virustotal.com/#/file/d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0/details
Typical Filename: Window.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
MD5: 147ba798e448eb3caa7e477e7fb3a959
VirusTotal: https://www.virustotal.com/#/file/790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd/details
Typical Filename: ups.exe
Claimed Product: TODO: <产åå>
Detection Name: W32.Variant:Malwaregen.22d1.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
https://www.sans.org/account
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
