@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
May 2, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
May 2, 2019 - Vol. 19, Num. 18
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 25 - May 2
============================================================
TOP VULNERABILITY THIS WEEK: Attackers exploiting Oracle vulnerability in the wild
*********** Sponsored By Fidelis Cybersecurity ***********
When it comes to cybersecurity, you can only defend what you can see. Organizations continue to suffer breaches, oftentimes because they do not have continuous, real-time visibility of all their critical assets. Register for the Fidelis webcast "Gaining a Decisive Advantage Through Terrain Based Cyber Defense" to learn more: http://www.sans.org/info/212615
============================================================
TRAINING UPDATE
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019
-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019
-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019
-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends May 15.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Attend the inaugural SANS Enterprise Defense Summit in Redondo Beach, CA June 3-4. http://www.sans.org/info/212620
2) Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212625
3) How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card:
http://www.sans.org/info/212630
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Oracle vulnerability opens users to remote code execution attacks
Description: Oracle released an out-of-band pouch for WebLogic servers that could allow an attacker to carry out remote code execution attacks. Security researchers discovered the bug being exploited earlier this month by attackers in the wild. Oracle assigned the bug CVE-2019-2725 and gave it a CVSS score of 9.8/10, highlighting how serious the issue is. WebLogix server owners are urged to update as soon as possible.
Reference: https://www.zdnet.com/article/new-oracle-weblogic-zero-day-discovered-in-the-wild/
Snort SIDs: 49942, 49943
Title: JasperLoader targets Europe with Gootkit banking trojan
Description: A loader known as "JasperLoader" has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries, with a particular focus on Germany and Italy. JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process.
Reference: https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html
Snort SIDs: 49914, 49915
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Docker says an attacker breached one of its Hub databases and could have stolen sensitive information from nearly 190,000 accounts.
Norwegian aluminum producer Norsk Hydro said a ransomware attack earlier this year cost the company the equivalent of $52 million in the first quarter.
Apple removed several parental control apps from its app store due to what the company called "highly invasive" mobile device management software.
https://www.securityweek.com/apple-claims-parental-control-apps-removed-due-use-mdm
A recent study found that the vast majority of U.S. presidential candidates campaigns for the 2020 election are open to an email-based attack.
https://finance.yahoo.com/news/most-2020-u-presidential-campaigns-120000599.html
An unguarded Microsoft-hosted database contains sensitive information on nearly 80 million U.S. households -- and it's unclear who owns it.
https://www.engadget.com/2019/04/29/database-exposes-80-million-us-households/
Facebook agreed to take part in a study of how social media influences American elections, opening up its internal data to independent researchers.
Messaging company Slack warned it could be the target of large-scale cyber attacks ahead of its IPO filing.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-2725
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: A remote code execution vulnerability exists in Oracle Weblogic Sever. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. The flaw exists in the wls9_async_response package where the components wls9_async and wls-wsat trigger this vulnerability. An attacker can input a serialized maliciously crafted file. Upon processing, this file is deserialised and can execute the malicious content inside it with elevated privileges. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-11597
Title: ImageMagick Multiple Heap Buffer Overflow Vulnerabilities
Vendor: ImageMagick
Description: ImageMagick is exposed to multiple heap based bufferoverflow vulnerabilities. An attacker can exploit this issue to cause denial-of-service condition and obtain sensitive information. In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVSS v2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:N/A:P)
ID: CVE-2019-3398
Title: Atlassian Confluence Server and Confluence Data Center Directory Traversal Vulnerability
Vendor: Atlassian
Description: Atlassian Confluence Server and Confluence Data Center are exposed to a directory traversal vulnerability because the application fails to sufficiently sanitize user supplied input. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
ID: CVE-2019-3844
Title: systemd Local Privilege Escalation Vulnerability
Vendor: systemd
Description: systemd is exposed to a local privilege escalation vulnerability. An attacker may exploit this issue to gain elevated privileges. It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
CVSS v2 Base Score: 3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P)
ID: CVE-2019-6467
Title: ISC BIND Remote Denial of Service Vulnerability
Vendor: ISC
Description: ISC BIND is exposed to a remote denial of service vulnerability. A flaw was found in the way "nxdomain-redirect" feature was implemented in bind.An attacker could use this flaw on a server with a vulnerable configuration to cause bind to exit, denying service to other clients.
CVSS v2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
ID: CVE-2018-2004
Title: IBM Jazz Reporting Service Cross Site Scripting Vulnerability
Vendor: IBM
Description: IBM Jazz Reporting Service is exposed to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C)
ID: CVE-2019-11035
Title: PHP Multiple Heap Buffer Overflow Vulnerabilities
Vendor: PHP
Description: PHP is exposed to multiple heap based buffer overflow vulnerabilities. When processing certain files, PHP EXIF extension can be caused to read past allocated buffer in exif_process_IFD_TAG function. An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed attacks would result in denial of service conditions.
CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
ID: CVE-2019-11244
Title: Kubernetes Local Unauthorized Access Vulnerability
Vendor: Kubernetes
Description: Kubernetes is exposed to a local unauthorized access vulnerability. In Kubernetes, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation. A local attacker can exploit this issue to gain unauthorized access to the affected application.
CVSS v2 Base Score: 1.9 (AV:L/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-9208
Title: Wireshark Multiple Denial of Service Vulnerabilities
Vendor: Wireshark
Description: Wireshark is exposed to multiple denial of service vulnerabilities. In Wireshark, the TCAP dissector could crash. This was addressed in epan/dissectors/asn1/tcap/tcap.cnf by avoiding NULL pointer dereferences. An attacker can exploit these issues by injecting a malformed packet onto the wire or by convincing someone to read a malformed 'pcap' file.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
=========================================================
MOST PREVALENT MALWARE FILES April 25 - May 2:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201
SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
MD5: 6372f770cddb40efefc57136930f4eb7
VirusTotal: https://www.virustotal.com/#/file/d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed/details
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
