Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 6, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

               June 06, 2019 - Vol. 19, Num. 23


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES May 30 - June 4

============================================================


TOP VULNERABILITY THIS WEEK:  WordPress plugin vulnerability used in the wild to redirect users to malicious websites


*********** Sponsored By Amazon Web Services, Inc. ***********


AWS Education Series: JumpStart Guide for Endpoint Security in AWS. SANS instructor David Hazer and Optiv's cloud security practice leader Joe Vadakkan discuss key evaluation points, capability requirements, questions to ask vendors and real-world examples during a live webcast June 12, 2019, at 2 p.m. EDT--hosted by AWS Marketplace. http://www.sans.org/info/212995


============================================================

TRAINING UPDATE

 

-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019


-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Don't miss "SIEM as Alexa - How Natural Language Processing Can Transform Your Cyber Security Experience"  Register:  http://www.sans.org/info/213155


2) How do your threat hunting efforts stack up with your peers? Take the SANS 2019 Threat Hunting Survey--and enter to win a $400 Amazon gift card! http://www.sans.org/info/213160


3) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/213165


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Attackers exploit bug in popular WordPress vulnerability to inject malicious JavaScript

Description: Attackers are exploiting a recently patched bug in a WordPress plugin that allows them to redirect users to malicious sites. The vulnerability exists in the content management system's instant chat plugin, which can allow site managers to communicate directly with users. The bug allows attackers to inject malicious JavaScript into these sites, sending them to attacker-controlled websites or displaying malicious pop-ups.

Reference: https://arstechnica.com/information-technology/2019/05/hackers-actively-exploit-wordpress-plugin-flaw-to-send-visitors-to-bad-sites/

Snort SIDs: 50299

 

Title: Cisco Firepower protects against encrypted attacks exploiting Microsoft RDP bug

Description: Researchers at Cisco Talos discovered a new way to protect against encrypted attacks exploiting a recently disclosed vulnerability in Microsoft RDP. Microsoft disclosed the bug in May, but did not provide any guidance on how to mitigate attacks. A new method using Cisco Firepower Management Center allows users to protect themselves from attacks that would otherwise go virtually undetected.

Reference: https://blog.talosintelligence.com/2019/05/firepower-encrypted-rdp-detection.html

Snort SIDs: 50137

============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Apple unveiled a new authentication system that will allow users to log into third-party sites by using their Apple ID, which the company says will make it tougher for apps to track users.

https://www.securityweek.com/apple-unveils-privacy-focused-authentication-system


Security researchers say there is no evidence that the EternalBlue NSA exploit was used in a ransomware attack on the city of Baltimore.

https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/


A new malware, which pulls together several open-source components, appears to have been used in several document-based attacks January through April of this year.

https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html


Several American universities, foundations and retirement plans have invested in two Chinese facial recognition companies that the Chinese government is now using to surveil its citizens.

https://www.buzzfeednews.com/article/ryanmac/us-money-funding-facial-recognition-sensetime-megvii?%3Fbftw=world


The U.S. State Department is now requesting all visa applicants provide their social media account handles.

https://www.nytimes.com/2019/06/02/us/us-visa-application-social-media.html


Google is rolling out a series of new policies aimed to eliminate malicious plugins from the extensions store of its Chrome browser.

https://www.wired.com/story/google-chrome-extensions-security-changes/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-9510

Title:    Microsoft Windows RDP Network Level Authentication lock screen Bypass Vulnerability

Vendor:    Microsoft

Description: Starting with Windows 10 1803 (released in April 2018) and Windows Server 2019, the handling of RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect, upon Automatic Reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left. At this point, an attacker can interrupt the network connectivity of the RDP client system. The RDP client software will automatically reconnect to the remote system once internet connectivity is restored. But because of this vulnerability, the reconnected RDP session is restored to a logged in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2018-15664

Title:    Docker FollowSymlinkInScope Function Race Condition Vulnerability

Vendor:    Docker

Description: Docker is exposed to a directory traversal vulnerability. The vulnerability exists in the FollowSymlinkInScope function, which could cause a TOCTOU attack. If exploited successfully, an attacker can resolve the symlink path component on the host as root. In the case of 'docker cp' command an attacker can read and write access to any path on the host. An attacker may exploit this issue to gain read/write access to the files outside of the restricted directory; this may aid in further attacks.

CVSS v2 Base Score:    9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


ID:        CVE-2002-1876

Title:    Microsoft Exchange 2000 Post Authorization License Exhaustion Denial Of Service Vulnerability

Vendor:    Microsoft

Description: A vulnerability exists in Microsoft Exchange 2000. Allegedly, Exchange 2000 will experience a denial of service condition when an authenticated user makes many requests. The vulnerability is due to IIS incorrectly allocating licenses to Exchange. Making numerous, rapid requests will exhaust available licenses granted to Exchange by IIS. Microsoft Exchange 2000 allows remote authenticated attackers to cause a denial of service via a large number of rapid requests, which consumes all of the licenses that are granted to Exchange by IIS.

CVSS v2 Base Score:    2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)


ID:        CVE-2019-1870

Title:    Cisco Enterprise Chat and Email Cross Site Scripting Vulnerability

Vendor:    Cisco

Description: Cisco Enterprise Chat and Email is exposed to a cross site scripting vulnerability because it fails to sanitize user supplied input. The vulnerability is due to insufficient validation of user supplied input by the web-based management interface of an affected device. This vulnerability in the web-based management interface of Cisco Enterprise Chat and Email (ECE) Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface or allow the attacker to access sensitive browser-based information.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-12616

Title:    phpMyAdmin Cross Site Request Forgery Vulnerability

Vendor:    phpMyAdmin

Description: phpMyAdmin is exposed to a cross site request forgery vulnerability because it does not properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. The vulnerability allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.

CVSS v2 Base Score:    4.3  (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-12308

Title:    Django Cross Site Scripting Vulnerability

Vendor:    Django

Description: Django is exposed to a cross site scripting vulnerability because it fails to properly sanitize user supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-1861

Title:    Cisco Industrial Network Director Remote Code Execution Vulnerability

Vendor:    Cisco

Description: Cisco Industrial Network Director is exposed to a remote code execution vulnerability. A remote attacker can leverage this issue to execute arbitrary code within the context of the application. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


=========================================================


MOST PREVALENT MALWARE FILES May 30 - June 6:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 144e4b5a6e99d9e89dae2ac2907c313d253878e13db86c6f5c50dae6e17a015a

MD5: 5e3b592b8e093f92ae9f6cfc93b22c58

VirusTotal: https://www.virustotal.com/gui/file/144e4b5a6e99d9e89dae2ac2907c313d253878e13db86c6f5c50dae6e17a015a/details

Typical Filename: pupdate.exe

Claimed Product: Internet Explorer

Detection Name: W32.144E4B5A6E-95.SBX.TG


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201

 

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201

 

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: wup.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743