@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
September 5, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
September 05, 2019 - Vol. 19, Num. 36
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Aug. 29 - Sept. 5
============================================================
TOP VULNERABILITY THIS WEEK: Additional protection for attacks against popular VPN service
*************** Sponsored By AWS Marketplace ***************
Know Your Apps and Your Developers: JumpStart Guide to Securing Applications in AWS. In this webcast, learn how to work with developers to identify, assess and understand your applications and APIs deploying to AWS. SANS, AWS and Fortinet experts provide practical guidance for reusing resources, improving AppSec programs and planning future application development. Join us Sept. 11, 2:00 PM ET. http://www.sans.org/info/214110
============================================================
TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or Take $250 off through September 18 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Webcast: Learn key processes, skills and technologies required for an effective supply chain security program. Register: http://www.sans.org/info/214115
2) In the Denver area? Register for the SANS Cloud Security Operations Solutions Forum on October 18th: http://www.sans.org/info/214120
3) Webcast Tuesday September 17th at 1 PM ET: Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception. http://www.sans.org/info/214130
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New protection fends off password-stealing attacks from popular VPN service
Description: Last week, attackers began launching password-stealing attacks against the Fortigate and Pulse VPN services. At the time, Cisco Talos released SNORT(R) rules to protect Pulse VPN, and there is now additional protection for Fortigate. Attackers are attempting to steal encryption keys, passwords and other important data from servers utilizing these two VPN services. These bugs can be exploited by sending the unpatched servers a specialized Web request that contains a special sequence of characters. Reference: https://arstechnica.com/information-technology/2019/08/hackers-are-actively-trying-to-steal-passwords-from-two-widely-used-vpns/
Snort SIDs: 51370 - 51372, 51387 (Written by John Levy)
Title: Multiple vulnerabilities disclosed in Cisco NX-OS software
Description: Cisco disclosed three denial-of-service vulnerabilities in its NX-OS software: CVE-2019-1965, CVE-2019-1964 and CVE-2019-1962. These bugs can cause a variety of conditions, including forced reboots, crashes or disruption of certain processes. All three are considered high-severity vulnerabilities.
Reference:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
Snort SIDs: 51365 - 51367 (Written by John Levy)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Google's Project Zero uncovered several malicious websites that compormised iPhones for years, just by having users visit them.
https://www.cnet.com/news/google-says-iphone-security-flaws-let-websites-hack-them-for-years/
Security researchers believe this discovery could lead to a new wave of attacks on iPhones after the devices were mainly targets of nation-state actors.
https://www.wired.com/story/ios-attack-watering-hole-project-zero/
A new report suggests ransomware attacks may be on the rise because threat actors are encouraged by extortion payments from insurance companies.
https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks
Attackers used the "SIM hacking" technique to take over Twitter CEO Jack Dorsey's personal account, posting offensive messages and linking to the group's Discord channel.
https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping
Amazon's Ring home security service recently released a list of the more than 400 police departments it partners with for a variety of reasons, and a new map can help users see what their cameras' footage may be used for.
https://lifehacker.com/how-to-see-if-police-are-using-ring-doorbells-to-monito-1837797394
Apple apologized to users for its practice of allowing contracted employees to listen in on Siri recordings. The company now says it will be an opt-in program, with the goal of improving the AI assistant.
https://www.theguardian.com/technology/2019/aug/29/apple-apologises-listen-siri-recordings
Chinese tech company Huawei accused the U.S. of launching cyber attacks against its networks, while also denying allegations that it stole smart camera technology from a Portuguese firm.
https://www.wsj.com/articles/huawei-accuses-the-u-s-of-cyberattacks-threatening-its-employees-11567500484
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-12643
Title: Cisco IOS XE REST API Container Software Authentication Bypass Vulnerability
Vendor: Cisco
Description: This vulnerability resides in the Cisco REST API virtual service container, however, it affects devices running Cisco IOS XE Software when exploited. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The security issue is tracked as CVE-2019-12643 and has received a maximum severity rating score of 10 based on CVSS v3 Scoring system.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-1663
Title: Cisco Routers Remote Command Execution Vulnerability
Vendor: Cisco
Description: A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. A remote attacker can exploit this issue to execute arbitrary commands on the host operating system with escalated privileges.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-1622
Title: Cisco Data Center Network Manager Information Disclosure Vulnerability
Vendor: Cisco
Description: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: CVE-2019-1935
Title: Cisco UCS Director Unauthenticated Remote Access Vulnerability
Vendor: Cisco
Description: A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Due to several coding errors, it is possible for an unauthenticated remote attacker with no privileges to bypass authentication and abuse a password change function to inject arbitrary commands and execute code
as root. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-15637
Title: Tableau XML External Entity Injection Vulnerability.
Vendor: Tableau
Description: Numerous Tableau products are vulnerable to XXE (XML External Entity) vulnerability beacuse of a malicious workbook, extension, or data source, leading to information disclosure or a denial of service vulnerability. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.
CVSS v2 Base Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P)
ID: CVE-2019-10149
Title: Exim Remote Command Execution Vulnerability
Vendor: Exim
Description: Exim is affected by remote command execution vulnerability. The vulnerability is exploitable instantly by a local attacker, remotely exploit this vulnerability in the default configuration. An attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes), faster methods may exist. Successful exploitation will lead to remote command execution.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
=========================================================
MOST PREVALENT MALWARE FILES Aug. 29 - Sept. 5:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc
MD5: 7a6f7f930217521e47c7b8d91fb79649
VirusTotal: https://www.virustotal.com/gui/file/9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc/details
Typical Filename: DHL Scan File.img
Claimed Product: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!
Detection Name: W32.9A082883AD-100.SBX.TG
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
MD5: c785a8b0be77a216a5223c41d8dd937f
VirusTotal: https://www.virustotal.com/gui/file/1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c/details
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG
SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
https://www.sans.org/account
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743