Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

August 1, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            August 01, 2019 - Vol. 19, Num. 31


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES July 25 - Aug. 1

============================================================


TOP VULNERABILITY THIS WEEK: Godlua backdoor communicates over DNS, targets Linux and Windows systems


************** Sponsored By AWS Marketplace ****************


AWS Education Series: Streamline Detection and Response by Integrating SIEM and SOAR in AWS. SANS, Optiv and AWS speakers will discuss design considerations, needs and capabilities, as well as technical, business and operational requirements for integrating and orchestrating SIEM and SOAR technologies in the AWS cloud. August 14, 2 PM ET. http://www.sans.org/info/213795


============================================================

TRAINING UPDATE

 

-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019


-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an 11" iPad Pro, Surface Pro, or Take $350 Off through August 7 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



********************** Sponsored Links: ********************


1) August 1st at 1 PM ET: Improve your incident response functions and capabilities by tuning in for the Integrated Incident Response: A SANS Survey webcast: http://www.sans.org/info/213800


2) Security Inside the Perimeter. Learn how to protect critical workloads and applications inside your data center. http://www.sans.org/info/213805


3) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/213810


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: New coverage available for Godlua malware

Description: Attackers recently targeted Linux and Windows machines with respective versions of the Godlua malware. The backdoor secures its communication via DNS over HTTPS. The attackers primarily use Godlua as a distributed denial-of-service bot, even launching an HTTP flood attack against one domain.

Reference: https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/

Snort SIDs: 50808 - 50811 (Written by Kristen Houser)

 

Title: New protection rolled out for Microsoft vulnerability exploited in the wild

Description: The OceanLotus APT recently launched a new malware known as "Ratsnif," which comes in four different variant forms. These rules fire when Ratsnif attempts to make an outbound connection to a command and control (C2) server, or if the malware attempts to download any files. Ratsnif remained undetected after its C2 went online back in August 2018, though researchers believe it's low level of infection kept it under the radar.

Reference: https://z6mag.com/2019/07/02/ratsnif-the-undetected-oceanlotus-malware-trojan/

Snort SIDs: 50800 - 50802 (Written by Kristen Houser)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


A hacker obtained the information of more than 100 million Capitol One Bank customers in one of the largest data thefts against a bank in history.

https://www.nytimes.com/2019/07/29/business/capital-one-data-breach-hacked.html


The software engineer behind the Capitol One attack is reportedly a former employee of Amazon Web Services, and even took to Instagram after the hack to take credit for stealing the information.

https://nypost.com/2019/07/30/capital-one-hacker-boasted-on-social-media-after-breach-court-docs/


Democratic lawmakers in the U.S. are criticizing Republican leaders for not acting faster on cybersecurity policies that could help secure the 2020 American elections.

https://thehill.com/homenews/senate/454967-mcconnell-under-fire-for-burying-election-security-bills-in-legislative-graveyard


Louisiana declared a state of emergency after a cyberattack took down several county school systems' networks, the first time such declaration has been made in the state due to a cyber incident.

https://www.cnbc.com/2019/07/26/louisiana-declares-state-of-emergency-after-cybercriminals-attack-school-districts.html


American tech companies are concerned that new cybersecurity policies in China could mean a reduction in business and too much power given to the government to control data. (This article is  behind a paywall.)

https://www.wsj.com/articles/chinas-cybersecurity-regulations-rattle-u-s-businesses-11564409177


The malware researcher who helped bring down the WannaCry attacker will not face any jail time for his previous involvement with malware creation and infection.

https://www.zdnet.com/article/marcus-malwaretech-hutchins-gets-no-prison-time-one-year-supervised-release/


Equifax is paying $125 to customers who had their information stolen in a 2016 hack, but attackers are using it as an opportunity to spin up scams that aim to steal users' personal information.

https://blog.malwarebytes.com/awareness/2019/07/how-to-get-your-equifax-money-and-stay-safe/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2019-9848

Title: LibreOffice Remote Code Execution and Unauthorized Access Vulnerabilities

Vendor: LibreOffice

Description: LibreOffice is exposed to a remote code execution vulnerability and unauthorized access vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application and gain unauthorized access and perform malicious actions. LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID: CVE-2019-7839

Title: Adobe ColdFusion Arbitrary Command Injection Vulnerability

Vendor: Adobe

Description: ColdFusion vulnerable versions have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

Adobe Digital Editions is exposed to an unspecified arbitrary command injection vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the application. An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID: CVE-2019-1010241

Title: Jenkins Credentials Binding Plugin Information Disclosure Vulnerability

Vendor: Jenkins

Description: Jenkins Credentials Binding plugin is exposed to an information disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. Jenkins Credentials Binding Plugin is affected for storing passwords in a recoverable format. Authenticated users can recover credentials.

CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID: CVE-2019-1010155

Title: D-Link DSL-2750U Multiple Authentication Bypass Vulnerabilities

Vendor: D-Link

Description: D-Link DSL-2750U is exposed to multiple authentication bypass vulnerabilities. An attacker can exploit these issues to bypass authentication mechanism and perform unauthorized actions.

CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)


ID: CVE-2019-1010142

Title: Scapy "_RADIUSAttrPacketListField" Class Remote Denial of Service Vulnerability

Vendor: Python

Description: Scapy is exposed to a remote denial of service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users.

CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)


ID: CVE-2017-5715

Title: Multiple CPU Hardware Information Disclosure Vulnerability

Vendor: Multiple Vendors

Description: Multiple CPU Hardware are exposed to an information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side channel analysis.

CVSS v2 Base Score: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)


ID: CVE-2019-1579

Title: Palo Alto Networks PAN-OS Multiple Remote Code Execution Vulnerabilities

Vendor: Palo Alto Networks

Description: Palo Alto Networks PAN-OS is prone to multiple remote code-execution vulnerabilities. Successfully exploiting these issues may result in the execution of arbitrary code in the context of the affected application. Remote Code Execution may allow an unauthenticated remote attacker to execute arbitrary code.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES July 25 - Aug. 1:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6

MD5: f7145b132e23e3a55d2269a008395034

VirusTotal: https://www.virustotal.com/gui/file/8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6/details

Typical Filename: r2

Claimed Product: N/A

Detection Name: Unix.Exploit.Lotoor::other.talos


SHA 256: 2f4e7dba21a31bde1192ca03b489a9bd47281a28e206b3dcf245082a491e8e0a

MD5: cc0f21a356dfa1b7ebeb904ce80d9ddf

VirusTotal: https://www.virustotal.com/gui/file/2f4e7dba21a31bde1192ca03b489a9bd47281a28e206b3dcf245082a491e8e0a/details

Typical Filename: f1cf1595f0a6ca785e7e511fe0df7bc756e8d66d.xls

Claimed Product: Microsoft Excel

Detection Name: W32.2F4E7DBA21-100.SBX.TG


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details

Typical Filename: xme32-2141-gcc.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743