@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
June 6, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
June 06, 2019 - Vol. 19, Num. 23
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES May 30 - June 4
============================================================
TOP VULNERABILITY THIS WEEK: WordPress plugin vulnerability used in the wild to redirect users to malicious websites
*********** Sponsored By Amazon Web Services, Inc. ***********
AWS Education Series: JumpStart Guide for Endpoint Security in AWS. SANS instructor David Hazer and Optiv's cloud security practice leader Joe Vadakkan discuss key evaluation points, capability requirements, questions to ask vendors and real-world examples during a live webcast June 12, 2019, at 2 p.m. EDT--hosted by AWS Marketplace. http://www.sans.org/info/212995
============================================================
TRAINING UPDATE
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019
-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Don't miss "SIEM as Alexa - How Natural Language Processing Can Transform Your Cyber Security Experience" Register: http://www.sans.org/info/213155
2) How do your threat hunting efforts stack up with your peers? Take the SANS 2019 Threat Hunting Survey--and enter to win a $400 Amazon gift card! http://www.sans.org/info/213160
3) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/213165
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Attackers exploit bug in popular WordPress vulnerability to inject malicious JavaScript
Description: Attackers are exploiting a recently patched bug in a WordPress plugin that allows them to redirect users to malicious sites. The vulnerability exists in the content management system's instant chat plugin, which can allow site managers to communicate directly with users. The bug allows attackers to inject malicious JavaScript into these sites, sending them to attacker-controlled websites or displaying malicious pop-ups.
Snort SIDs: 50299
Title: Cisco Firepower protects against encrypted attacks exploiting Microsoft RDP bug
Description: Researchers at Cisco Talos discovered a new way to protect against encrypted attacks exploiting a recently disclosed vulnerability in Microsoft RDP. Microsoft disclosed the bug in May, but did not provide any guidance on how to mitigate attacks. A new method using Cisco Firepower Management Center allows users to protect themselves from attacks that would otherwise go virtually undetected.
Reference: https://blog.talosintelligence.com/2019/05/firepower-encrypted-rdp-detection.html
Snort SIDs: 50137
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple unveiled a new authentication system that will allow users to log into third-party sites by using their Apple ID, which the company says will make it tougher for apps to track users.
https://www.securityweek.com/apple-unveils-privacy-focused-authentication-system
Security researchers say there is no evidence that the EternalBlue NSA exploit was used in a ransomware attack on the city of Baltimore.
A new malware, which pulls together several open-source components, appears to have been used in several document-based attacks January through April of this year.
https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html
Several American universities, foundations and retirement plans have invested in two Chinese facial recognition companies that the Chinese government is now using to surveil its citizens.
The U.S. State Department is now requesting all visa applicants provide their social media account handles.
https://www.nytimes.com/2019/06/02/us/us-visa-application-social-media.html
Google is rolling out a series of new policies aimed to eliminate malicious plugins from the extensions store of its Chrome browser.
https://www.wired.com/story/google-chrome-extensions-security-changes/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-9510
Title: Microsoft Windows RDP Network Level Authentication lock screen Bypass Vulnerability
Vendor: Microsoft
Description: Starting with Windows 10 1803 (released in April 2018) and Windows Server 2019, the handling of RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect, upon Automatic Reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left. At this point, an attacker can interrupt the network connectivity of the RDP client system. The RDP client software will automatically reconnect to the remote system once internet connectivity is restored. But because of this vulnerability, the reconnected RDP session is restored to a logged in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2018-15664
Title: Docker FollowSymlinkInScope Function Race Condition Vulnerability
Vendor: Docker
Description: Docker is exposed to a directory traversal vulnerability. The vulnerability exists in the FollowSymlinkInScope function, which could cause a TOCTOU attack. If exploited successfully, an attacker can resolve the symlink path component on the host as root. In the case of 'docker cp' command an attacker can read and write access to any path on the host. An attacker may exploit this issue to gain read/write access to the files outside of the restricted directory; this may aid in further attacks.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2002-1876
Title: Microsoft Exchange 2000 Post Authorization License Exhaustion Denial Of Service Vulnerability
Vendor: Microsoft
Description: A vulnerability exists in Microsoft Exchange 2000. Allegedly, Exchange 2000 will experience a denial of service condition when an authenticated user makes many requests. The vulnerability is due to IIS incorrectly allocating licenses to Exchange. Making numerous, rapid requests will exhaust available licenses granted to Exchange by IIS. Microsoft Exchange 2000 allows remote authenticated attackers to cause a denial of service via a large number of rapid requests, which consumes all of the licenses that are granted to Exchange by IIS.
CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
ID: CVE-2019-1870
Title: Cisco Enterprise Chat and Email Cross Site Scripting Vulnerability
Vendor: Cisco
Description: Cisco Enterprise Chat and Email is exposed to a cross site scripting vulnerability because it fails to sanitize user supplied input. The vulnerability is due to insufficient validation of user supplied input by the web-based management interface of an affected device. This vulnerability in the web-based management interface of Cisco Enterprise Chat and Email (ECE) Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface or allow the attacker to access sensitive browser-based information.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-12616
Title: phpMyAdmin Cross Site Request Forgery Vulnerability
Vendor: phpMyAdmin
Description: phpMyAdmin is exposed to a cross site request forgery vulnerability because it does not properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. The vulnerability allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-12308
Title: Django Cross Site Scripting Vulnerability
Vendor: Django
Description: Django is exposed to a cross site scripting vulnerability because it fails to properly sanitize user supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-1861
Title: Cisco Industrial Network Director Remote Code Execution Vulnerability
Vendor: Cisco
Description: Cisco Industrial Network Director is exposed to a remote code execution vulnerability. A remote attacker can leverage this issue to execute arbitrary code within the context of the application. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
=========================================================
MOST PREVALENT MALWARE FILES May 30 - June 6:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 144e4b5a6e99d9e89dae2ac2907c313d253878e13db86c6f5c50dae6e17a015a
MD5: 5e3b592b8e093f92ae9f6cfc93b22c58
VirusTotal: https://www.virustotal.com/gui/file/144e4b5a6e99d9e89dae2ac2907c313d253878e13db86c6f5c50dae6e17a015a/details
Typical Filename: pupdate.exe
Claimed Product: Internet Explorer
Detection Name: W32.144E4B5A6E-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
