@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
May 9, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
May 9, 2019 - Vol. 19, Num. 19
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES May 2 - 9
============================================================
TOP VULNERABILITY THIS WEEK: Attackers continue to exploit Oracle WebLogic vulnerabilities, now dropping ransomware
************** Sponsored By AWS Marketplace ****************
AWS Security Operations in the Cloud training series: How to Build a Data Protection Strategy in AWS. In this webcast, SANS instructor Dave Shackleford and AWS solutions architect David Aiken share tips on how to securely migrate data protection policies, processes and tools through the AWS Marketplace. Tuesday, May 21, 2 PM EDT. http://www.sans.org/info/212660
============================================================
TRAINING UPDATE
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019
-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019
-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019
-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends May 15.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Don't Miss "Not sure that you need OT Cybersecurity? A Sentryo Assessment can quickly provide the data and guidance that you need." with Tim Conway. Register: http://www.sans.org/info/212700
2) Unisys' CISO, Mathew Newfield discusses how CISOs handle translating technical cyber risks into the language of business as boardroom discussions increasingly focus on cybersecurity. http://www.sans.org/info/212705
3) "Vetting Your Intel - Techniques and Tools for False Positive Analysis" with Robert M. Lee and Tarik Saleh. Register: http://www.sans.org/info/212710
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Attacks using WebLogic bugs expand, evolve
Description: Attackers continue to spread malware by exploiting a critical vulnerability in Oracle WebLogic. The bug, identified as CVE-2019-2725, was disclosed and patched last week. However, as users have been slow to update, attackers are still able to exploit this vulnerability to deliver ransomware, specifically Gandcrab and XMRig
Reference: https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/
Snort SIDs: 50014 - 50025
Title: Cisco discloses 41 bugs, one of them critical
Description: Cisco released a security update for several of its products, including one critical bug in the SSH key management for the Nexus 9000 series Application Centric Infrastructure (ACI) mode switch software. An attacker could exploit this vulnerability by connecting to a machine via SSH, which could allow them to connect to the system with the same privileges as a root user.
Snort SIDs: 49992 - 49996, 50006, 50007
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A new report states Chinese intelligence agencies may have stolen an NSA hacking tool several years ago while the U.S. was attacking their systems, and eventually leaked those tools to the Shadow Brokers APT.
https://www.engadget.com/2019/05/07/symantec-buckeye-wannacry/
Mozilla says it will start banning add-ons for the Firefox web browser that contain obfuscated code in an effort to cut down on the number of malicious extensions.
https://www.helpnetsecurity.com/2019/05/03/firefox-add-ons-obfuscated-code/
IDF bombed an alleged Hamas hacking base after the organization allegedly launched a cyber attack against Israeli targets.
https://www.wired.com/story/israel-hamas-cyberattack-air-strike-cyberwar/
The Magecart malware is being used in yet another attack, this time targeting 201 online college bookstores.
https://www.infosecurity-magazine.com/news/magecart-steals-data-201-campus-1-1/
In March, a "cyber event" disrupted operations at a utility company in the Western US, but did not cause blackouts.
https://www.eenews.net/stories/1060254751
Baltimore's city government was hit with a ransomware attack, temporarily disabling all non-emergency services' systems.
https://www.baltimoresun.com/news/maryland/politics/bs-md-ci-it-outage-20190507-story.html
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-0703
Title: Windows SMB Information Disclosure Vulnerability
Vendor: Windows
Description: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. To exploit the vulnerability, an attacker would have to be able to authenticate and send SMB messages to an impacted Windows SMB Server
CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)
ID: CVE-2019-2725
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: A remote code execution vulnerability exists in Oracle Weblogic Sever. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. The flaw exists in the wls9_async_response package where the components wls9_async and wls-wsat trigger this vulnerability. An attacker can input a serialized maliciously crafted file. Upon processing, this file is deserialised and can execute the malicious content inside it with elevated privileges. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-3400
Title: Atlassian JIRA Cross Site Scripting Vulnerability
Vendor: Atlassian
Description: Atlassian JIRA is prone to a cross site scripting vulnerability because it fails to properly sanitize user supplied input. An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.It allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting vulnerability in the jql parameter.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-1708
Title: Multiple Cisco Products CVE-2019-1708 Denial of Service Vulnerability
Vendor: Cisco
Description: Cisco Adaptive Security Appliance and Firepower Threat Defense Software are prone to a remote denial of service vulnerability. Attackers can exploit this issue to cause a reload of the affected devices, denying service to legitimate users. A vulnerability in the Internet Key Exchange Version 2 Mobility and Multihoming Protocol (MOBIKE) feature for the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition. The vulnerability is due to the incorrect processing of certain MOBIKE packets. An attacker could exploit this vulnerability by sending crafted MOBIKE packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a Denial of Service condition.
CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
ID: CVE-2019-1857
Title: Cisco HyperFlex HX-Series Cross Site Request Forgery Vulnerability
Vendor: Cisco
Description: Cisco HyperFlex HX-Series is prone to a cross site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system by using a web browser and with the privileges of the user.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2019-1854
Title: Cisco Expressway Series Directory Traversal Vulnerability
Vendor: Cisco
Description: Cisco Expressway Series is prone to a directory-traversal vulnerability. An attacker can exploit this issue using directory-traversal characters ('../') to access and write arbitrary files or to execute arbitrary files. A vulnerability in the management web interface of Cisco Expressway Series could allow an authenticated, remote attacker to perform a directory traversal attack against an affected device. The vulnerability is due to insufficient input validation on the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web interface. A successful exploit could allow the attacker to bypass security restrictions and access the web interface of a Cisco Unified Communications Manager associated with the affected device. Valid credentials would still be required to access the Cisco Unified Communications Manager interface.
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
ID: CVE-2019-1701
Title: Multiple Cisco Products Multiple Cross Site Scripting Vulnerabilities
Vendor: Cisco
Description: Multiple Cisco Products are prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input.An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Multiple vulnerabilities in the WebVPN service of Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software could allow an authenticated, remote attacker to conduct a cross-site scripting attack against a user of the WebVPN portal of an affected device. The vulnerabilities exist because the software insufficiently validates user-supplied input on an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
ID: CVE-2019-1856
Title: Cisco Prime Collaboration Assurance Cross Site Scripting Vulnerability
Vendor: Cisco
Description: Cisco Prime Collaboration Assurance is prone to a cross-site scripting vulnerability because it fails to properly sanitize user supplied input.An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack against a user of the web-based management interface of an affected device. The vulnerability is due to the insufficient validation of data supplied by external devices to the web-based management interface of an affected PCA device. An attacker in control of devices integrated with an affected PCA device could exploit this vulnerability by using crafted data in certain fields of the controlled devices. A successful exploit could allow the attacker to execute arbitrary script code in the context of the PCA web-based management interface or allow the attacker to access sensitive browser-based information.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-1713
Title: Cisco Adaptive Security Appliance Software Cross Site Request Forgery Vulnerability
Vendor: Cisco
Description: Cisco Adaptive Security Appliance Software is prone to a cross site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
=========================================================
MOST PREVALENT MALWARE FILES May 2 - 9:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 9d48f382ec11bd9b35488a2c2b878e5401c2be43f00bcbae30d1619e6e2bf0c1
MD5: dd46d0260a6cdf5625d468398bae1f60
VirusTotal: https://www.virustotal.com/#/file/9d48f382ec11bd9b35488a2c2b878e5401c2be43f00bcbae30d1619e6e2bf0c1/details
Typical Filename: N/A
Claimed Product: N/A
Detection Name: Win.Dropper.Undefined::tpd
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743