Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

May 30, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              May 30, 2019 - Vol. 19, Num. 22


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES 23 - 30

============================================================


TOP VULNERABILITY THIS WEEK: Another zero-day vulnerability exposed in Internet Explorer


*************** Sponsored By AWS Marketplace **************


AWS Education Series: Endpoints in the Cloud, Guidance for Evaluating AWS Marketplace Endpoint Security Solutions. SANS instructor David Hazer and Optiv's cloud security practice leader Joe Vadakkan discuss design and architecture considerations, capabilities vs. needs, criteria points and questions to ask providers during the live webcast on June 12, 2019, 2PM ET. http://www.sans.org/info/213015


============================================================

TRAINING UPDATE

 

-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019

 

-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019

 

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019

 

-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019

 

-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019

 

-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019

 

-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019

 

-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019

 

-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019

 

-- SANS OnDemand and vLive Training

Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/

 

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

 

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/213020


2) Don't Miss "Lessons From the Front Lines of AppSec: Analysis of real-world attacks from 2019 and best practices for dealing with them"  Register:  http://www.sans.org/info/213025


3) ICYMI: "Not sure that you need OT Cybersecurity? A Sentryo Assessment can quickly provide the data and guidance that you need." Register: http://www.sans.org/info/213030


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Vulnerability could allow JavaScript to be injected into Internet Explorer 11

Description: Researchers uncovered another Microsoft zero-day vulnerability. One of the critical bugs could allow an attacker to inject a DLL into Internet Explorer 11. After the injection, the exploit opens a filepicker and an HTML page that contains JavaScript that executes in a lower security context. There is also a zero-day privilege escalation vulnerability in Windows Error Reporting.

Reference: https://www.bleepingcomputer.com/news/microsoft/poc-exploits-released-for-two-more-windows-vulnerabilities/

Snort SIDs: 50183, 50184

 

Title: Winnti malware now appears on Linux

Description: A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files - a main backdoor and a library that can hide the malware's activity. Winnti's primary role is to handle communications and deploy other modules directly from the command and control (C2) server.

Reference: https://www.scmagazine.com/home/security-news/malware/googles-chronicle-security-team-discovered-a-linux-version-of-the-winnti-malware-was-used-in-the-2015-hack-of-a-vietnamese-gaming-company/

Snort SIDs: 50164 - 50167


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Title Insurance company First American Financial Corp. leaked hundreds of millions of documents related to mortgage deals dating back to 2003.

https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/


Hackers claim to have stolen the personal data of millions of Australian graphic design startup Canva's users.

https://www.zdnet.com/article/australian-tech-unicorn-canva-suffers-security-breach/


An estimated one million devices are still vulnerable to the wormable vulnerability that people are calling "BlueKeep," which Microsoft disclosed earlier this month.

https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/


Snapchat pushed back on a report that some of its employees used privileged access to spy on some users.

https://www.infosecurity-magazine.com/news/snapchat-claims-of-employees-1/


The U.S. charged WikiLeaks founder Julian Assange with 17 criminal charges for soliciting, receiving and publishing national secrets.

https://www.buzzfeednews.com/article/zoetillman/julian-assange-wikileaks-new-charges-us


A phony, malicious app on the Google Play store that steals users' cryptocurrencies was downloaded more than 1,000 times before being removed recently.

https://techcrunch.com/2019/05/23/cryptocurrency-stealing-android-app/


Several lawmakers are upset that a former NSA hacking tool is behind several attacks on American cities, most recently Baltimore. However, many researchers say it is on end users to patch their machines and protect them from these kinds of vulnerabilities.

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/05/28/the-cybersecurity-202-security-pros-divided-over-nsa-s-responsibility-for-baltimore-hack/5cec79771ad2e52231e8e80f/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-0708

Title:    Microsoft Remote Desktop Services Remote Code Execution Vulnerability

Vendor:    Microsoft

Description: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-5519

Title:    Multiple VMware Products Local Code Execution Vulnerability

Vendor:    VMware

Description: Multiple VMware products are exposed to a local code execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Exploitation of this issue requires an attacker to have access to a virtual machine with a virtual USB controller present. This issue may allow a guest to execute code on the host.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2016-10245

Title:    Doxygen Cross Site Scripting Vulnerability

Vendor:    Doxygen

Description: Doxygen is exposed to a cross site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie based authentication credentials and launch other attacks. Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross site scripting or iframe injection.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-5960

Title:    WordPress WP Open Graph Plugin Cross Site Request Forgery Vulnerability

Vendor:    WordPress

Description: The WP Open Graph Plugin for WordPress is exposed to a cross-site request-forgery vulnerability. An attacker can exploit this issue to perform certain unauthorized actions and gain access to the affected application. WP Open Graph plugin for WordPress is vulnerable to cross site request forgery, caused by improper validation of user supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross site scripting attacks, Web cache poisoning, and other malicious activities.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-10320

Title:    Jenkins Credentials Plugin Information Disclosure Vulnerability

Vendor:    Jenkins

Description: Credentials Plugin for Jenkins is exposed to an information disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks.  Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.

CVSS v2 Base Score:    4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)


ID:        CVE-2019-3397

Title:    Atlassian Bitbucket Server Directory Traversal Vulnerability

Vendor:    Atlassian

Description: Atlassian Bitbucket Server is exposed to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue using directory traversal characters ('../') to access, write or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and execute arbitrary code. Atlassian Bitbucket Data Center could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request by Data Center migration tool. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files to arbitrary locations to execute arbitrary code on the system.

CVSS v2 Base Score:    9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)


ID:        CVE-2019-12295

Title:    Wireshark 'epan/packet.c' Denial of Service Vulnerability

Vendor:    Wireshark

Description: Wireshark is exposed to a remote denial of service vulnerability. An attacker can exploit this issue by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

In Wireshark, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)


=========================================================


MOST PREVALENT MALWARE FILES May 23 - 30:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950

MD5: b9a5e492a6c4dd618613b1a2a9c6a4fb

VirusTotal: https://www.virustotal.com/#/file/f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950/details

Typical Filename: maf-task.zip

Claimed Product: N/A

Detection Name: PUA.Osx.Adware.Gt32supportgeeks::221862.in02


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201

 

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201

 

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: wup.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743