Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

July 25, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                July 25, 2019 - Vol. 19, Num. 30


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES July 18 - 25

============================================================


TOP VULNERABILITY THIS WEEK: AZORult trojan delivered via malicious YouTube links, supposed video game cheats


******************** Sponsored By AWS Marketplace ********************


Getting the Most Out of Cloud-Based Firewalls in AWS and Amazon EC2. SANS analyst Kevin Garvey explains how cloud-based firewalls differ from more traditional firewalls, the ease with which organizations can manage firewalls in AWS, and how to utilize advanced features of cloud-based firewalls for better protection and response. July 25, 2 PM ET. http://www.sans.org/info/213430


============================================================

TRAINING UPDATE


-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019


-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training


Get an 11" iPad Pro, Surface Pro, or Take $350 Off through August 7 with OnDemand or vLive training.


https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - https://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training


SANS Mentor |  https://www.sans.org/mentor/about


Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap


https://www.sans.org/courses


https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) July 29th at 1 PM ET: Is Your Plant Cyber Resilient? Next Steps to Achieving Safe and Secure Plant Operation. Register: http://www.sans.org/info/213720


2) SANS would like your input on the effectiveness of your security testing program! Take this quick poll: http://www.sans.org/info/213725


3) ICYMI: "Modernize Your Security Platform to Prepare for the Latest Threats." View this IBM webcast: http://www.sans.org/info/213730


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Attackers spread AZORult trojan, attempts to steal passwords

Description: Attackers recently began spreading the AZORult trojan AZORult through a series of phony cheat codes for video games, such as "CounterStrike: Go and Player Unknown's Battlegrounds. The attackers embedded links to the supposed cheats in YouTube videos and other social media sites. Once installed, the trojan attempts to steal users' passwords. This Snort rule fires when AZORult attempts to make an outbound connection to its command and control server.

Reference: https://www.bleepingcomputer.com/news/security/fake-cs-go-pubg-rust-cheats-push-password-stealing-trojan/

Snort SIDs: 50771 (Written by Tim Muniz)

 

Title: New protection rolled out for Microsoft vulnerability exploited in the wild

Description: Attackers continue to exploit a previously disclosed vulnerability in Windows' win32k.sys component. The escalation of privilege bug, identified as CVE?2019?1132, was exploited in a series of targeted attacks in Eastern Europe. An APT installed espionage malware on victim machines through this bug. Two new Snort rules activate when a user attempts to corrupt a machine's memory using this vulnerability.

Reference: https://www.welivesecurity.com/2019/07/10/windows-zero-day-cve-2019-1132-exploit/

Snort SIDs: 50734 - 50737 (Written by Joanne Kim)



============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Some Android phones are open to an exploit that could allow an attacker to listen in on any audio played over speakerphone using devices' accelerometer.

https://threatpost.com/samsung-lg-android-spearphone-eavesdropping/146625/


A cloud hosting company that provides cloud-based QuickBooks accounting software said it was the victim of a ransomware attack last week, leading to some customers' data becoming inaccessible.

https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/


Credit reporting firm Equifax agreed to a settlement worth up to $700 million over a data breach in 2017, but security advocates and some lawmakers say the fine doesn't go far enough.

https://www.wired.com/story/equifax-fine-not-enough/


Apple's latest round of updates fixed a vulnerability in the Apple Watch's Walkie Talkie app that could allow an attacker to listen in on users' conversations.

https://arstechnica.com/gadgets/2019/07/apple-releases-ios-12-4-watchos-5-3-macos-10-14-6-and-more/


There are still 805,665 operating systems vulnerable to the highly publicized BlueKeep vulnerability, according to a new study.

https://www.bitsight.com/blog/industry-response-to-bluekeep-vulnerability


The National Security Agency plans to launch a new cybersecurity directorate later this year as part of a larger effort to align the U.S.'s offensive and defensive cyber capabilities.

https://www.wsj.com/articles/nsa-forms-cybersecurity-directorate-under-more-assertive-u-s-effort-11563876005


U.S. Attorney General William Barr spoke out against encrypted data, saying that it could allow "criminals to operate with impunity."

https://thehill.com/policy/technology/454292-barr-warns-encryption-allows-criminals-to-operate-with-impunity



=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID:        CVE-2019-13962

Title:    VideoLAN VLC Heap Based Buffer Overflow Vulnerability

Vendor:    VideoLAN

Description: VideoLAN VLC is exposed to a heap based buffer overflow vulnerability. lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player has a heap based buffer over read because it does not properly validate the width and height. Attackers can exploit this issue to cause a denial of service condition, denying service to legitimate users.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-1579

Title:    Palo Alto Networks PAN-OS Multiple Remote Code Execution Vulnerabilities

Vendor:    Palo Alto Networks

Description: Palo Alto Networks PAN-OS is exposed to multiple remote code execution vulnerabilities. Remote Code Execution in PAN-OS with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code. Successfully exploiting these issues may result in the execution of arbitrary code in the context of the affected application.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-0211

Title:    Apache HTTP Server Local Privilege Escalation Vulnerability

Vendor:    Apache

Description: Apache HTTP Server is exposed to a local privilege escalation vulnerability. In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. An attacker can exploit this issue to gain elevated privileges on the affected application.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-2725

Title:    Oracle WebLogic Server Deserialization Remote Command Execution Vulnerability

Vendor:    Oracle

Description: Oracle WebLogic Server is exposed to a remote command execution vulnerability. Attackers can exploit this issue to execute an arbitrary command within the context of a user running the affected application. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2017-14735

Title:    OWASP AntiSamy Cross Site Scripting Vulnerability

Vendor:    OWASP

Description: OWASP AntiSamy is exposed to a cross site scripting vulnerability because it fails to properly sanitize user supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-13345

Title:    Squid Multiple Cross Site Scripting Vulnerabilities

Vendor:    Squid

Description: Squid is exposed to multiple cross site scripting vulnerabilities because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie based authentication credentials and launch other attacks.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-1010142

Title:    Scapy '_RADIUSAttrPacketListField' Class Remote Denial of Service Vulnerability

Vendor:    Scapy

Description: Scapy is exposed to a remote denial of service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users.

CVSS v2 Base Score:    5.0  (AV:N/AC:L/Au:N/C:N/I:N/A:P)


=========================================================


MOST PREVALENT MALWARE FILES July 18 - 25:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310

MD5: 7054c32d4a21ae2d893a1c1994039050

VirusTotal: https://www.virustotal.com/gui/file/6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310/details

Typical Filename: maftask.zip

Claimed Product: N/A

Detection Name: PUA.Osx.Adware.Advancedmaccleaner::tpd


SHA 256: e062f35810260a1406895acff447e412a8133380807ef3ddc91c70c01bd34b50

MD5: 5a315fdaa14ae98226de43940630b147

VirusTotal: https://www.virustotal.com/gui/file/e062f35810260a1406895acff447e412a8133380807ef3ddc91c70c01bd34b50/details

Typical Filename: FYDUpdate.exe

Claimed Product: Minama

Detection Name: W32.E062F35810-95.SBX.TG


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details

Typical Filename: xme32-2141-gcc.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG



=============================================================


(c) 2019. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create


 SANS Institute Privacy Policy

 11200 Rockville Pike, Suite 200, North Bethesda, MD, 20852