@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
December 26, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
December 26, 2019 - Vol. 19, Num. 52
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
MOST PREVALENT MALWARE FILES Dec. 19 - 26
============================================================
TOP VULNERABILITY THIS WEEK: Attackers utilize Cisco ASA bug to carry out DoS attacks
******************** Sponsored By SANS ********************
Kick off RSA Conference 2020 with Hands-on SANS Training | San Francisco, CA | Feb 23-24. Develop the skills you need to better protect your organization with SANS information security training at RSA Conference 2020. http://www.sans.org/info/215100
============================================================
TRAINING UPDATE
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- ICS Security Summit & Training | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, a Samsung Galaxy Tab S2, or Take $300 Off through January 8 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1. Webcast January 14 at 1 PM ET: What Really Matters to Security Teams: Endpoint Security Priorities for 2020. http://www.sans.org/info/215105
2. ICYMI Webcast: David Szili discusses his experience using Mimecast's Web Security Service. View here: http://www.sans.org/info/215110
3. In the Austin area? Join us for the Automation & Orchestration Forum on January 30: http://www.sans.org/info/215115
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Old vulnerability in Cisco Adaptive Security Appliances exploited in DoS attacks
Description: Attackers are exploiting a patched vulnerability in Cisco ASA to carry out denial-of-service attacks and steal critical information. The vulnerability, CVE-2018-0296, is directory traversal bug found in the web framework of Adaptive Security Appliance and Firepower Appliance. The attacker can use a specially crafted URL to cause the ASA appliance to reboot or disclose unauthenticated information. This vulnerability was first discovered and patched in June 2018, but vulnerable devices are still being targeted.
Snort SIDs: 46897
Title: Multiple vulnerabilities in some WAGO devices
Description: The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGOs programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration service used by the controllers. The vulnerabilities discussed here could allow an attacker to remotely execute code, deny service to the device or weaken device login credentials.
Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-multiple.html
Snort SIDs: 50786 - 50789, 50790 - 50793, 50797
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Reporters and researchers at the New York Times were able to use leaked location data to track cell phone users across the U.S., even President Donald Trump, the sign of a major national security risk.
https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html
The login credentials for more than 3,000 Ring camera users were leaked last week, the latest blow to the Amazon-owned security company.
Gas station chain Wawa says it was the victim of a credit card-stealing attack since March, potentially affecting every customer at each of its locations. The company is offering victims free fraud protection for a year.
https://slate.com/technology/2019/12/how-bad-is-the-wawa-data-breach.html
A U.S. government-sponsored study found there is a high rate of error in facial recognition technology, especially among non-whites, often assigning individuals the wrong genger or identifying them as the incorrect race.
An airline in Alaska had to cancel several flights after what the company called a malicious cyber attack.
U.S. military members are now banned from using the popular social media app TikTok on government-issued devices, citing security concerns based on the app developers potential connections to China.
https://www.pcmag.com/news/372673/us-navy-bans-tiktok-citing-cybersecurity-threat
Content management system Drupal released a series of security updates, fixing a critical vulnerability that could allow an attacker to directly upload some malicious files to a website.
https://thehackernews.com/2019/12/drupal-website-hacking.html
An exposed Elasticsearch database exposed the personal information of more than 26,000 Honda car owners, including names, addresses, VINs and email addresses.
=========================================================
MOST PREVALENT MALWARE FILES Dec. 19 - 26:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
VirusTotal: https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: b32093d726609c88a06f71b8fe74e9e5a04c2dfe81fc39743bdd970bf4dea017
MD5: baadce7c152b24bd48cc1f2f4a0b088d
VirusTotal: https://www.virustotal.com/gui/file/b32093d726609c88a06f71b8fe74e9e5a04c2dfe81fc39743bdd970bf4dea017/details
Typical Filename: xme64-530.exe
Claimed Product: N/A
Detection Name: W32.B32093D726-100.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
