@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
May 30, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
May 30, 2019 - Vol. 19, Num. 22
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 23 - 30
============================================================
TOP VULNERABILITY THIS WEEK: Another zero-day vulnerability exposed in Internet Explorer
*************** Sponsored By AWS Marketplace **************
AWS Education Series: Endpoints in the Cloud, Guidance for Evaluating AWS Marketplace Endpoint Security Solutions. SANS instructor David Hazer and Optiv's cloud security practice leader Joe Vadakkan discuss design and architecture considerations, capabilities vs. needs, criteria points and questions to ask providers during the live webcast on June 12, 2019, 2PM ET. http://www.sans.org/info/213015
============================================================
TRAINING UPDATE
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019
-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/213020
2) Don't Miss "Lessons From the Front Lines of AppSec: Analysis of real-world attacks from 2019 and best practices for dealing with them" Register: http://www.sans.org/info/213025
3) ICYMI: "Not sure that you need OT Cybersecurity? A Sentryo Assessment can quickly provide the data and guidance that you need." Register: http://www.sans.org/info/213030
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Vulnerability could allow JavaScript to be injected into Internet Explorer 11
Description: Researchers uncovered another Microsoft zero-day vulnerability. One of the critical bugs could allow an attacker to inject a DLL into Internet Explorer 11. After the injection, the exploit opens a filepicker and an HTML page that contains JavaScript that executes in a lower security context. There is also a zero-day privilege escalation vulnerability in Windows Error Reporting.
Snort SIDs: 50183, 50184
Title: Winnti malware now appears on Linux
Description: A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files - a main backdoor and a library that can hide the malware's activity. Winnti's primary role is to handle communications and deploy other modules directly from the command and control (C2) server.
Snort SIDs: 50164 - 50167
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Title Insurance company First American Financial Corp. leaked hundreds of millions of documents related to mortgage deals dating back to 2003.
Hackers claim to have stolen the personal data of millions of Australian graphic design startup Canva's users.
https://www.zdnet.com/article/australian-tech-unicorn-canva-suffers-security-breach/
An estimated one million devices are still vulnerable to the wormable vulnerability that people are calling "BlueKeep," which Microsoft disclosed earlier this month.
https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/
Snapchat pushed back on a report that some of its employees used privileged access to spy on some users.
https://www.infosecurity-magazine.com/news/snapchat-claims-of-employees-1/
The U.S. charged WikiLeaks founder Julian Assange with 17 criminal charges for soliciting, receiving and publishing national secrets.
https://www.buzzfeednews.com/article/zoetillman/julian-assange-wikileaks-new-charges-us
A phony, malicious app on the Google Play store that steals users' cryptocurrencies was downloaded more than 1,000 times before being removed recently.
https://techcrunch.com/2019/05/23/cryptocurrency-stealing-android-app/
Several lawmakers are upset that a former NSA hacking tool is behind several attacks on American cities, most recently Baltimore. However, many researchers say it is on end users to patch their machines and protect them from these kinds of vulnerabilities.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-0708
Title: Microsoft Remote Desktop Services Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-5519
Title: Multiple VMware Products Local Code Execution Vulnerability
Vendor: VMware
Description: Multiple VMware products are exposed to a local code execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Exploitation of this issue requires an attacker to have access to a virtual machine with a virtual USB controller present. This issue may allow a guest to execute code on the host.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2016-10245
Title: Doxygen Cross Site Scripting Vulnerability
Vendor: Doxygen
Description: Doxygen is exposed to a cross site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie based authentication credentials and launch other attacks. Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross site scripting or iframe injection.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-5960
Title: WordPress WP Open Graph Plugin Cross Site Request Forgery Vulnerability
Vendor: WordPress
Description: The WP Open Graph Plugin for WordPress is exposed to a cross-site request-forgery vulnerability. An attacker can exploit this issue to perform certain unauthorized actions and gain access to the affected application. WP Open Graph plugin for WordPress is vulnerable to cross site request forgery, caused by improper validation of user supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
ID: CVE-2019-10320
Title: Jenkins Credentials Plugin Information Disclosure Vulnerability
Vendor: Jenkins
Description: Credentials Plugin for Jenkins is exposed to an information disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
ID: CVE-2019-3397
Title: Atlassian Bitbucket Server Directory Traversal Vulnerability
Vendor: Atlassian
Description: Atlassian Bitbucket Server is exposed to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue using directory traversal characters ('../') to access, write or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and execute arbitrary code. Atlassian Bitbucket Data Center could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request by Data Center migration tool. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files to arbitrary locations to execute arbitrary code on the system.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
ID: CVE-2019-12295
Title: Wireshark 'epan/packet.c' Denial of Service Vulnerability
Vendor: Wireshark
Description: Wireshark is exposed to a remote denial of service vulnerability. An attacker can exploit this issue by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
In Wireshark, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
=========================================================
MOST PREVALENT MALWARE FILES May 23 - 30:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950
MD5: b9a5e492a6c4dd618613b1a2a9c6a4fb
VirusTotal: https://www.virustotal.com/#/file/f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950/details
Typical Filename: maf-task.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::221862.in02
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
