@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
October 24, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
October 24, 2019 - Vol. 19, Num. 43
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Oct. 17 - 24
============================================================
TOP VULNERABILITY THIS WEEK: Gustuff banking trojan with new features, larger target base
***************** Sponsored By ExtraHop ********************
What Works in SOC/NOC Integration: Improving Time to Detect, Respond and Contain with ExtraHop Reveal(X). Less than 40% of SOC manager say that the SOC and the NOC are effectively integrated, based on the 2019 SANS Security Operations Center survey. This webcast will feature Curo Financial discussing their selection and deployment of ExtraHop's Reveal(X) to increase visibility into their network traffic. http://www.sans.org/info/214555
============================================================
TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019
-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019
-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, an ASUS Chromebook Flip, or Take $250 Off through October 30 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) ICYMI Webcast: Pivotal Platform - Getting Started with Native Runtime Protection for PAS. http://www.sans.org/info/214560
2) Survey: SANS is seeking women to take our first SANS 2020 Women in Cybersecurity Survey! http://www.sans.org/info/214565
3) Webcast October 29th at 10:30 AM ET: Real World Challenges for PCI Compliant Containers. http://www.sans.org/info/214570
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Gustuff V2
Description: The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS. The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions.
Reference: https://blog.talosintelligence.com/2019/10/gustuffv2.html
Snort SIDs: 51908 - 51922
Title: Attackers use malicious GIFs to attack WhatsApp
Description: The WhatsApp messaging app contains a double-free vulnerability. An attacker could exploit this vulnerability, identified as CVE-2019-11932, to carry out a variety of malicious activities, including memory leaks and arbitrary code execution. The exploitation of this bug requires the attacker to send a WhatsApp user a specially crafted GIF. These rules prevent attackers from carry out remote code execution through these GIFs.
Snort SIDs: 51953 - 51956 (By Tim Muniz)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The U.S. Department of Justice says it took down the largest child pornography darknet site in the world, arrested more than 300 users and organizers.
https://www.cnn.com/2019/10/16/politics/doj-darknet-child-pornography-takedown/index.html
Samsung publicly acknowledged a vulnerability in the S10 smartphone that could allow anyone's fingerprint to unlock the device and promised to patch it as soon as possible.
https://www.bbc.com/news/technology-50080586
One of the best-known hacking groups behind the disruption of the 2016 U.S. presidential election is still active, albeit not as publicly.
https://www.cyberscoop.com/cozy-bear-return-espionage-russian-hacking/
The newest update to Google Chrome includes "site isolation," which protects users from the theft of their passwords stored in the browser.
The U.K. says Russian-linked hacking groups stole tools from the well-known Oilrig APT in an attempt to carry out attacks on more than 35 countries.
https://www.ft.com/content/b947b46a-f342-11e9-a79c-bc9acae3b654
Several security and technology vendors formed a new group aimed at better protecting American infrastructure, including utilities and the oil and gas industries.
German manufacturer Pilz says many of its systems are still offline a week after a ransomware attack, affecting the delivery of shipments and loss of internal communications.
https://www.infosecurity-magazine.com/news/german-giant-pilz-down-after/
Popular VPN service NordVPN confirmed it was hacked after weeks of reports that the company had an expired internal private key exposed.
https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-14287
Title: SUDO Security Policy Bypass Vulnerability
Vendor: Multi-Vendor
Description: When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. An attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-2215
Title: Android Binder Use-After-Free Vulnerability
Vendor: Google
Description: A use after free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.
CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-7609
Title: Kibana Timelion Remote Code Execution Vulnerability
Vendor: Elastic
Description: Kibana Timelion visualizer is exposed to an arbitrary code execution vlunerability. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-16278
Title: Nostromo Nhttpd Remote Code Execution Vulnerability
Vendor: Nazgul
Description: A Directory Traversal vulnerability exists in the function http_verify in nostromo nhttpd. It allows an attacker to achieve remote code execution via a crafted HTTP request. An attacker can bypass a check for /../ which allows to execute /bin/sh with arbitrary arguments.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-2890
Title: Oracle WebLogic Server Vulnerability
Vendor: Oracle
Description: A vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Easily exploitable vulnerability allows high privileged attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-17662
Title: ThinVNC Authentication Bypass Vulnerability
Vendor: Cybelsoft
Description: ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: CVE-2019-11510
Title: Pulse Connect Secure arbitrary file read vulnerability
Vendor: PulseSecure
Description: In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
=========================================================
MOST PREVALENT MALWARE FILES Oct. 17 - 24
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
