Learn How to Thwart Cyber Attackers with Training in San Antonio. Save $200 thru 4/24.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 7, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

             March 7, 2019 - Vol. 19, Num. 10


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES March 1 - 7

============================================================


TOP VULNERABILITY THIS WEEK: Attacks pick up on vulnerable Cisco SOHO routers


*********** Sponsored By NETSCOUT Systems, Inc. ***********


"Maximizing SOC Effectiveness and Efficiency with Integrated Operations and Defense" John Pescatore, SANS Institute, joined by Arabella Hallawell, NETSCOUT, will talk with security managers about how the most commonly cited barriers to improving security operationsincluding lack of budget and lack of staffcan be overcome. Register: http://www.sans.org/info/210995


============================================================

TRAINING UPDATE

 

-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS Munich March 2019 | March 18-23 | https://www.sans.org/event/munich-march-2019


-- SANS Secure Canberra 2019 | March 18-23 | https://www.sans.org/event/secure-canberra-2019


-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019


-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019


-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019


-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019


-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, ASUS Chromebook C223NA or Take $250 Off with OnDemand or vLive training. Offer ends March 20.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Don't Miss "Overcoming Obstacles to Secure Multi-cloud Access" with John Pescatore and Rajoo Nagar. http://www.sans.org/info/211000


2) SURVEY: Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211005


3) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211010


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Cisco patches critical vulnerabilities in RV series of routers

Description: Attackers are carrying out attacks on Cisco small and home office routers after the company patched a critical bug in its RV line of routers. The vulnerability bypasses authentication procedures, allowing attackers to go after routers remotely over the internet. Affected models include the Cisco RV110, RV130 and RV215.

Reference: https://www.zdnet.com/article/hackers-have-started-attacks-on-cisco-rv110-rv130-and-rv215-routers/

Snort SIDs: 49296


Title: 19-year-old WinRAR vulnerability finally patched

Description: A micropatch released last week fixes a 19-year-old vulnerability in WinRAR that could allow an attacker to obtain remote code execution privileges. The bug, CVE-2018-20250, could allow an attacker to completely take over a target machine by tricking a user into opening a specially crafted, malicious archive. The latest WinRAR update completely removes support for ACE archives to protect users from this vulnerability.

Reference: https://www.bleepingcomputer.com/news/security/19-year-old-winrar-rce-vulnerability-gets-micropatch-which-keeps-ace-support/

Snort SIDs: 49289 - 49292


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Dow Jones list of 2.4 million people who are considered high-risk leaked after a company left the list on a database without a password.

https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/


New reporting pulled the curtain back on Facebooks massive effort to sway privacy policies across the world by influencing politicians.

https://www.theguardian.com/technology/2019/mar/02/facebook-global-lobbying-campaign-against-data-privacy-laws-investment


Thailand passed a new law that many are considering martial law on the internet and could allow the countrys military to make its own cyber laws in urgent cases.

https://www.reuters.com/article/us-thailand-cyber/thailand-passes-internet-security-law-decried-as-cyber-martial-law-idUSKCN1QH1OB


The popular cryptocurrency miner Coinhive is shutting downbut not over security concerns.

https://www.theverge.com/2019/2/28/18244636/coinhive-cryptojacking-cryptocurrency-mining-shut-down-monero-date


The Chinese hacking group APT40 repotedly carried out multiple cyber attacks on different countries in an effort to bolster their Navy.

https://www.infosecurity-magazine.com/news/chinas-apt40-group-stole-navy-1-1/


U.S. Cyber Command carried out an offensive cyber attack against a well-known Russian troll farm on the day of the 2018 midterm elections in the U.S.

https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html?utm_term=.1b697505f7c9


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:     CVE-2018-1999002

Title:     Jenkins Arbitrary File Access Vulnerability 

Vendor: Jenkins

Description: A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java. Successful exploitation of this issue could lead to read or write arbitrary files on the affected device's filesystem, which may aid in further attacks.

CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


ID:     CVE-2018-19519

Title:     Tcpdump Buffer Overflow Vulnerability

Vendor: Tcpdump

Description: A stack-based buffer overflow vulnerability exists in the print_prefix function of print-hncp.c via crafted packet data. An attacker can exploit this issue to execute arbitrary code in the context of an affected system.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)


ID:       CVE-2019-6340

Title:     Drupal Remote Code Execution Vulnerability (SA-CORE-2019-003)

Vendor: Drupal

Description: A arbitrary PHP code execution is possible due to a lack of data sensitization in certain field types linked to non-form sources. Successful exploitation of this vulnerability will lead to arbitrary PHP code execution.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:     CVE-2018-19107

Title:     Exiv2 Denial of Service Vulnerability

Vendor: Exiv2

Description: A vulnerability was found in Exiv2 0.26 (Image Processing Software). This affects the function Exiv2::IptcParser::decode of the file iptc.cpp (called from psdimage.cpp in the PSD image reader). A heap based buffer over-read caused by an integer overflow could result in a denial of service via a crafted file.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)


ID:     CVE-2018-20122

Title:     Fastweb Fastgate Remote Code Execution Vulnerability

Vendor: Fastweb

Description: A remote code execution vulnerability exists in the executable "status.cgi" binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:     CVE-2019-7238

Title:     Nexus Repository Manager3 Remote Code Execution Vulnerablility

Vendor: Nexus Repository

Description: The Nexus Repository Manager fails to implement Access Controls properly which leads to remote code execution vulnerability. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary Java code on the system.


ID:     CVE-2018-20250

Title:     WinRAR Arbitrary Code Execution Vulnerability

Vendor: RARLAB

Description: RARLAB WinRAR is prone to a Arbitrary Code Execution Vulnerability. This issue arises due to parsing of crafted ACE and RAR archive formats. Successful exploitation could allow an attacker to  arbitrary code execution in the context of the current user.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

 

ID:     CVE-2018-20250

Title:     Cisco Routers Management Interface Remote Command Execution Vulnerability - (cisco-sa-20190227-rmi-cmd-ex)

Vendor: Cisco

Description: A vulnerability exists in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

PS - Exploit for this vulnerability is not available yet.


=========================================================


MOST PREVALENT MALWARE FILES March 1 - 7:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: dfe2fcb006df972edf4f8e721bab26cfec809768a0bfbccf5fc661b6ea85dba9

MD5: b860cf8c4cb5dc676ef4893a704c9f8d

VirusTotal: https://www.virustotal.com/#/file/dfe2fcb006df972edf4f8e721bab26cfec809768a0bfbccf5fc661b6ea85dba9/details

Typical Filename: MyMapDirections-14900991.exe

Claimed Product: IEInstaller

Detection Name: W32.Auto:dfe2fc.in03.Talos


SHA 256: 3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56

MD5: b6ca0e72b072f40f5544b9fd054d6ed1

VirusTotal: https://www.virustotal.com/#/file/3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56/details

Typical Filename: maftask.zip

Claimed Product: N/A

Detection Name: Auto.3573BF7429.Sbmt.tht.Talos


SHA 256: d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0

MD5: d8461f2978de84045e7ad6bea7a60418

VirusTotal: https://www.virustotal.com/#/file/d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0/details

Typical Filename: Window.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd

MD5: 147ba798e448eb3caa7e477e7fb3a959

VirusTotal: https://www.virustotal.com/#/file/790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd/details

Typical Filename: ups.exe

Claimed Product: TODO: <产åå>

Detection Name: W32.Variant:Malwaregen.22d1.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir

Claimed Product: N/A

Detection Name: W32.Generic:Gen.21ij.1201

=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743