@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
October 3, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
October 03, 2019 - Vol. 19, Num. 40
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Sept. 26 - Oct. 3
============================================================
TOP VULNERABILITY THIS WEEK: APT targets members of Tibetan government with spyware
*************** Sponsored By AWS Marketplace ***************
AWS Education Series: Integrative CyberSecurity Posture Management (CSPM) + Cyber Investigations. Learn how to combine these two disciplines to identify security misconfigurations, risky associations, who's making changes, and more. Speakers from SANS, Barracuda Networks and AWS Marketplace will also provide methodology for evaluating CSPM to work with your investigative programs. October 9, 2 PM ET. http://www.sans.org/info/214375
============================================================
TRAINING UPDATE
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018
-- SANS OnDemand and vLive Training
Get a 9.7" iPad, Samsung Galaxy Tab A or Take $300 Off with OnDemand or vLive, Offer Ends September 19.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) ICYMI Webcast: Walk through network-based threat hunting using the open-source Zeek network security monitor. http://www.sans.org/info/214380
2) Survey | Take the 2019 SANS SOC Survey for Oil & Gas. http://www.sans.org/info/214385
3) Webcast October 4th at 3:30 PM ET: Manage Vulnerabilities Through the Software Lifecycle: How to Enable Secure DevOps. http://www.sans.org/info/214390
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Moonshine attack installs spyware on Android devices
Description: Researchers recently discovered the Moonshine attack being used in the wild. An APT known as "Poison Karp" used Moonshine to load spyware onto mobile devices belonging to members of the Tibetan government. The attack consists of a mixture of eight different vulnerabilities in the Android mobile operating system, but no zero-days. Researchers say the attackers targeted staffers of the Dalai Lama once in 2018, and then again in April and May of this year.
Snort SIDs: 51672 (By Lilia Gonzalez Medina)
Title: Foxit PDF Reader JavaScript Array includes remote code execution vulnerability
Description: Foxit PDF Reader contains a remote code execution vulnerability in its JavaScript engine. Foxit aims to be one of the most feature-rich PDF readers on the market and contains many similar functions to that of Adobe Acrobat Reader. The software uses JavaScript at several different points when opening a PDF. A bug exists in the JavaScript reading function that results in a large amount of memory to be allocated, which quickly uses up all available memory. An attacker could exploit this vulnerability to then gain the ability to remotely execute code.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-foxit-PDF-JavaScript-sept-2019.html
Snort SIDs: 49648, 49649 (By Mike Bautista)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A security researcher says they're producing a legitimate-looking iPhone cable that can actually allow the user to completely take over another user's machine by connecting their phone to the targeted machine.
It's becoming increasingly easier for companies to buy misinformation campaigns designed to discredit their competition.
https://www.recordedfuture.com/disinformation-service-campaigns/
A group of academics in Germany discovered a new attack vector that could allow a malicious user to steal information from encrypted PDFs without any user interaction.
https://www.zdnet.com/article/new-pdfex-attack-can-exfiltrate-data-from-encrypted-pdf-files/
A criminal group was able to exploit two major web browser vulnerabilities over the past six months to display a combined 2 billion malicious ads to users across the internet.
The U.S. Senate passed a bill that would allow the Department of Homeland Security to establish incident response teams to assist local and state governments in the event of a ransomware attack.
https://threatpost.com/senate-passes-bill-aimed-at-combating-ransomware-attacks/148779/
The former CEO of MyPayrollHR was arrested and charged with fraud, weeks after the company quietly shut down and caused $26 million worth of paychecks to be withdrawn from customers' employees' accounts.
https://krebsonsecurity.com/2019/09/mypayrollhr-ceo-arrested-admits-to-70m-fraud/
Cisco Talos recently discovered a new malware loader being used to deliver and infect systems with a previously undocumented malware payload called "Divergent."
https://blog.talosintelligence.com/2019/09/divergent-analysis.html
The National Security Agency formally announced a new Cybersecurity Directorate, which will bring all of its cyber attack prevention efforts under one roof.
Attackers are increasingly using the ODT file type to bypass anti-virus detection.
https://blog.talosintelligence.com/2019/09/odt-malware-twist.html
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-16928
Title: Exim Remote Code Execution Vulnerability
Vendor: Multi-Vendor
Description: A heap based buffer overflow vulnerability exists in string_vformat in string.c involving a long EHLO command. The vulnerability can be exploited by an unauthenticated remote attacker using extraordinary long EHLO string to crash the Exim process that receives the message. This could potentially be further exploited to execute arbitrary code on the host.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-16759
Title: vBulletin pre-authentication remote code execution vulnerability
Vendor: vBulletin
Description: An unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilizing.The vulnerability would enable an attacker to hijack the webserver running the forum software, to launch attacks on other machines and to modify and steal sensitive information.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-1367
Title: Microsoft Internet Explorer Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
Note: This CVE ID is unique from CVE-2019-1221.
CVSS v2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
ID: CVE-2019-16097
Title: Harbor Remote Privilege Escalation Vulnerability
Vendor: Multi-Vendor
Description: A vulnerability in the POST /api/users API of Harbor may allow for a remote escalation of privilege. A malicious attacker with network access to a Harbor POST /api/users API could self-register a new account with administrative privileges. Successful exploitation of this issue may lead to a complete compromise of the Harbor deployment.
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
ID: CVE-2019-15943
Title: Counter-Strike Global Offensive Remote Code Execution Vulnerability
Vendor: valvesoftware
Description: Counter-Strike Global Offensive (vphysics.dll) allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, using a crafted map that causes memory corruption vulnerability.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2019-12562
Title: DotNetNuke Store Cross-Site Scripting vulnerability
Vendor: Multi-Vendor
Description: A stored cross site scripting vulenrability in DotNetNuke (DNN) allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-1914
Title: Cisco Small Business 220 Series Smart Switches Command Injection Vulnerability
Vendor: Cisco
Description: A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. To send the malicious request, the attacker needs a valid login session in the web management interface as a privilege level 15 user. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to execute arbitrary shell commands with the privileges of the root user.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
=========================================================
MOST PREVALENT MALWARE FILES Sept. 26 - Oct. 3:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 39b114b72b19777a5c012b9f11d37f2402ed99e9f7e173826b8b61c933bf34e8
MD5: fbc6bd8bf115cb3f93a520d22b054b90
VirusTotal: https://www.virustotal.com/gui/file/39b114b72b19777a5c012b9f11d37f2402ed99e9f7e173826b8b61c933bf34e8/details
Typical Filename: N/A
Claimed Product: N/A
Detection Name: PUA.Win.Trojan.Remoteexec::tpd
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743