@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
August 1, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
August 01, 2019 - Vol. 19, Num. 31
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES July 25 - Aug. 1
============================================================
TOP VULNERABILITY THIS WEEK: Godlua backdoor communicates over DNS, targets Linux and Windows systems
************** Sponsored By AWS Marketplace ****************
AWS Education Series: Streamline Detection and Response by Integrating SIEM and SOAR in AWS. SANS, Optiv and AWS speakers will discuss design considerations, needs and capabilities, as well as technical, business and operational requirements for integrating and orchestrating SIEM and SOAR technologies in the AWS cloud. August 14, 2 PM ET. http://www.sans.org/info/213795
============================================================
TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019
-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019
-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, Surface Pro, or Take $350 Off through August 7 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) August 1st at 1 PM ET: Improve your incident response functions and capabilities by tuning in for the Integrated Incident Response: A SANS Survey webcast: http://www.sans.org/info/213800
2) Security Inside the Perimeter. Learn how to protect critical workloads and applications inside your data center. http://www.sans.org/info/213805
3) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/213810
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New coverage available for Godlua malware
Description: Attackers recently targeted Linux and Windows machines with respective versions of the Godlua malware. The backdoor secures its communication via DNS over HTTPS. The attackers primarily use Godlua as a distributed denial-of-service bot, even launching an HTTP flood attack against one domain.
Snort SIDs: 50808 - 50811 (Written by Kristen Houser)
Title: New protection rolled out for Microsoft vulnerability exploited in the wild
Description: The OceanLotus APT recently launched a new malware known as "Ratsnif," which comes in four different variant forms. These rules fire when Ratsnif attempts to make an outbound connection to a command and control (C2) server, or if the malware attempts to download any files. Ratsnif remained undetected after its C2 went online back in August 2018, though researchers believe it's low level of infection kept it under the radar.
Reference: https://z6mag.com/2019/07/02/ratsnif-the-undetected-oceanlotus-malware-trojan/
Snort SIDs: 50800 - 50802 (Written by Kristen Houser)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A hacker obtained the information of more than 100 million Capitol One Bank customers in one of the largest data thefts against a bank in history.
https://www.nytimes.com/2019/07/29/business/capital-one-data-breach-hacked.html
The software engineer behind the Capitol One attack is reportedly a former employee of Amazon Web Services, and even took to Instagram after the hack to take credit for stealing the information.
https://nypost.com/2019/07/30/capital-one-hacker-boasted-on-social-media-after-breach-court-docs/
Democratic lawmakers in the U.S. are criticizing Republican leaders for not acting faster on cybersecurity policies that could help secure the 2020 American elections.
Louisiana declared a state of emergency after a cyberattack took down several county school systems' networks, the first time such declaration has been made in the state due to a cyber incident.
American tech companies are concerned that new cybersecurity policies in China could mean a reduction in business and too much power given to the government to control data. (This article is behind a paywall.)
https://www.wsj.com/articles/chinas-cybersecurity-regulations-rattle-u-s-businesses-11564409177
The malware researcher who helped bring down the WannaCry attacker will not face any jail time for his previous involvement with malware creation and infection.
Equifax is paying $125 to customers who had their information stolen in a 2016 hack, but attackers are using it as an opportunity to spin up scams that aim to steal users' personal information.
https://blog.malwarebytes.com/awareness/2019/07/how-to-get-your-equifax-money-and-stay-safe/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-9848
Title: LibreOffice Remote Code Execution and Unauthorized Access Vulnerabilities
Vendor: LibreOffice
Description: LibreOffice is exposed to a remote code execution vulnerability and unauthorized access vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application and gain unauthorized access and perform malicious actions. LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-7839
Title: Adobe ColdFusion Arbitrary Command Injection Vulnerability
Vendor: Adobe
Description: ColdFusion vulnerable versions have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
Adobe Digital Editions is exposed to an unspecified arbitrary command injection vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the application. An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-1010241
Title: Jenkins Credentials Binding Plugin Information Disclosure Vulnerability
Vendor: Jenkins
Description: Jenkins Credentials Binding plugin is exposed to an information disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. Jenkins Credentials Binding Plugin is affected for storing passwords in a recoverable format. Authenticated users can recover credentials.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-1010155
Title: D-Link DSL-2750U Multiple Authentication Bypass Vulnerabilities
Vendor: D-Link
Description: D-Link DSL-2750U is exposed to multiple authentication bypass vulnerabilities. An attacker can exploit these issues to bypass authentication mechanism and perform unauthorized actions.
CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
ID: CVE-2019-1010142
Title: Scapy "_RADIUSAttrPacketListField" Class Remote Denial of Service Vulnerability
Vendor: Python
Description: Scapy is exposed to a remote denial of service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
ID: CVE-2017-5715
Title: Multiple CPU Hardware Information Disclosure Vulnerability
Vendor: Multiple Vendors
Description: Multiple CPU Hardware are exposed to an information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side channel analysis.
CVSS v2 Base Score: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)
ID: CVE-2019-1579
Title: Palo Alto Networks PAN-OS Multiple Remote Code Execution Vulnerabilities
Vendor: Palo Alto Networks
Description: Palo Alto Networks PAN-OS is prone to multiple remote code-execution vulnerabilities. Successfully exploiting these issues may result in the execution of arbitrary code in the context of the affected application. Remote Code Execution may allow an unauthenticated remote attacker to execute arbitrary code.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
=========================================================
MOST PREVALENT MALWARE FILES July 25 - Aug. 1:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
VirusTotal: https://www.virustotal.com/gui/file/8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6/details
Typical Filename: r2
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos
SHA 256: 2f4e7dba21a31bde1192ca03b489a9bd47281a28e206b3dcf245082a491e8e0a
MD5: cc0f21a356dfa1b7ebeb904ce80d9ddf
VirusTotal: https://www.virustotal.com/gui/file/2f4e7dba21a31bde1192ca03b489a9bd47281a28e206b3dcf245082a491e8e0a/details
Typical Filename: f1cf1595f0a6ca785e7e511fe0df7bc756e8d66d.xls
Claimed Product: Microsoft Excel
Detection Name: W32.2F4E7DBA21-100.SBX.TG
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
