Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

September 26, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              September 26, 2019 - Vol. 19, Num. 39


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Sept. 19 - 26

============================================================


TOP VULNERABILITY THIS WEEK: Emotet returns after a quiet summer


************** Sponsored By AWS Marketplace ****************


Cyber Investigations and Security Posture Management Working Together. Speakers from SANS, AWS Marketplace and Barracuda Networks explain CyberSecurity Posture Management (CSPM) can enhance cyber investigations in AWS environments. In this webcast, learn how to select data sources, investigation tools and use CSPM in your cyber investigative processes. October 9, 2 PM ET. http://www.sans.org/info/214315


============================================================

TRAINING UPDATE

 

-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS Denver 2019 | October 14-19 | https://www.sans.org/event/denver-2019


-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019


-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through October 2 with your OnDemand or vLive course.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webcast September 26th at 3:30PM ET: NetOps and SecOps: "Can't We All Just Get Along?" Register: http://www.sans.org/info/214320


2) In the Denver area? Join us at the SANS Cloud Security Operations Solutions Forum on October 18th: http://www.sans.org/info/214325


3) Upcoming Webcast: Hear the challenges of translating technical cyber risks into the language of business: http://www.sans.org/info/214330


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: New Emotet campaign emerges, but protection stays the same

Description: At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer draws to a close, Cisco Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. The malware still mainly relies on socially engineered spam emails to spread. Once the attackers have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads.

Reference: https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html

Snort SIDs: 47616, 47617, 48402, 49889, 43890 - 43892, 44559, 44560

 

Title: Aspose PDF API contains multiple remote code execution vulnerabilities

Description: There are multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.

Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-aspose-PDF-API-sept-2019.html

Snort SIDs: 50730, 50731, 50738, 50739


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Apple's iOS is now widely available on streaming devices, and it comes with a slew of new privacy and security features.

https://www.wired.com/story/ios-13-security-privacy-features-settings/


However, the initial release contains a bug where the iPhone will ignore certain location services features if the user has set an app to "never" track their location.

https://www.forbes.com/sites/kateoflahertyuk/2019/09/23/apple-confirms-ios-13-location-privacy-bug-impacting-millions-of-iphone-users/#3eb5f3a6fac8


The FBI reportedly uses a large number of secret subpoenas to obtain information about private companies, specifically in the tech industry.

https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html


Software firm Chef is cancelling its contract with U.S. ICE after a former employee deleted open-source code in protest.

https://www.vice.com/en_us/article/qvg3q5/chef-not-renewing-ice-immigration-customs-enforcement-contract-after-code-deleting-protest


Dozens of YouTube content creators had their accounts hijacked over the past week, likely the result of a phishing scam where attackers lured channel owners to a malicious website and stole their login credentials.

https://www.zdnet.com/article/massive-wave-of-account-hijacks-hits-youtube-creators/


Microsoft released an out-of-band patch for Internet Explorer that fixes a critical vulnerability in the web browser that could be used to take over the victim's entire machine.

https://www.pcworld.com/article/3440556/a-new-internet-explorer-bug-can-take-over-your-entire-pc-so-stop-using-it.html


The U.S. is reportedly looking into several options to carry out a cyber attack on Iran that would hamper its ability to disrupt the Middle East while avoiding kinetic warfare.

https://www.nytimes.com/2019/09/23/world/middleeast/iran-cyberattack-us.html


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-5485

Title:    Gitlabhook NPM Package Remote Command Execution Vulnerability

Vendor:    gitlabhook

Description: NPM package gitlabhook is vulnerable to a command injection vulnerability that allows users to execute arbitrary commands that can be injected through the repository name.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1262

Title:    Microsoft SharePoint Persistent Cross-Site Scripting Vulnerability

Vendor:    Microsoft

Description: A cross-site-scripting vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

CVSS v2 Base Score:    3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-1579

Title:    HPE Intelligent Management Center Information Disclosure Vulnerability

Vendor:    HPE

Description: An information disclosure vulnerability exists in HPE Intelligent Management Center due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this to allow unauthenticated access.

CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


ID:        CVE-2019-16531

Title:    LayerBB Cross-Site Request Forgery Vulnerability

Vendor:    LayerBB

Description: LayerBB has multiple Cross site request forgery issues such as editing user profiles and forums. These can be demonstrated by changing the System Settings via admin/general.php.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-16399

Title:    Western Digital My Book World II NAS Authentication Bypass Vulnerability

Vendor:    Western Digital

Description: An Authentication Bypass Vulnerability exists in Western Digital WD My Book World, which allows an attacker to access the /admin/ directory without credentials. An attacker can easily enable SSH from /admin/system_advanced.php?lang=en and login with the default root password welc0me.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID: CVE-2019-1253

Title: Microsoft Windows AppXSvc Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'.

Note: This CVE ID is unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


=========================================================


MOST PREVALENT MALWARE FILES Sept. 19 - 26:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details

Typical Filename: xme32-2141-gcc.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743