Online Training Special Offer! Get an iPad Mini, Surface Go, or $300 Off thru Oct 2!

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 14, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                    March 14, 2019 - Vol. 19, Num. 11


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES March 7 - 14

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft discloses 64 vulnerabilities as part of Patch Tuesday


******************** Sponsored By Uptycs ******************


Join SANS Instructor, Dave Shackleford, and Milan Shah, Uptycs Co-Founder and CTO, as he explores how the open source, universal agent, osquery, is providing a single view of the truth with a comprehensive data set inclusive of 100s of system attributes across operating systems, containers and cloud workloads. Register: http://www.sans.org/info/211082


============================================================

TRAINING UPDATE

 

-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019


-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019


-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019


-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019


-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, ASUS Chromebook C223NA or Take $250 Off with OnDemand or vLive training. Offer ends March 20.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) "Securing Your Endpoints with Carbon Black: A SANS Review of the CB Predictive Security Cloud Platform" with Dave Shackleford. Register:  http://www.sans.org/info/211087


2) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211092


3) Check out the Security Insights Blog here: http://www.sans.org/info/211097


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Patch Tuesday includes 17 critical Microsoft vulnerabilities

Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated critical, 45 that are considered important and one moderate and low vulnerability each. This release also includes two critical advisoriesone covering security updates to Adobe Flash Player and another concerning SHA-2.

Reference: https://blog.talosintelligence.com/2019/03/microsoft-patch-tuesday-march-2019.html

Snort SIDs: 45142, 45143, 46554, 46555, 48051, 48052, 49172, 49173, 49364 - 49369, 49371, 49372, 49378 - 49395, 49400 - 49403


Title: Multiple vulnerabilities in Pixar Renderman

Description: The MacOS version of Pixar Renderman contains three local vulnerabilities in its install helper tool. An attacker could exploit these bugs to escalate their privileges to root. Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.

Reference: https://blog.talosintelligence.com/2019/03/vuln-spotlight-pixar-renderman-local-2019.html

Snort SIDs: 48450 - 48453, 49088, 49089


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Iranian hackers stole an estimated six terabytes of data off of Citrix networks, including e-mails and files stored on sharing services.

https://www.forbes.com/sites/kateoflahertyuk/2019/03/10/citrix-data-breach-heres-what-to-do-next/#49654a741476


Several popular car alarm systems can be bypassed and turned off remotely by attackers, according to new research.

https://www.bbc.com/news/technology-47485731


Google Chrome pushed users to upgrade to Windows 10 after the web browser disclosed a zero-day bug in Windows 7 and Chrome that could allow attackers to push malicious code to users.

https://www.theverge.com/2019/3/8/18256335/google-chrome-windows-against-zero-day-vulnerabilities-update


A new report from the U.S.s Office of the Inspector General warns that NASA has serious cybersecurity holes that could open the space agency to an attack from a nation-state actor.

https://www.infosecurity-magazine.com/news/nasas-poor-cybersecurity-1-1-1/


Adobe patched critical vulnerabilities in Photoshop and Digital Editions as part of its monthly security update.

https://www.bleepingcomputer.com/news/security/adobe-releases-march-2019-security-fixes-for-photoshop-cc-and-digital-editions/


Social media hackers have stepped up their efforts over the past few months to reinforce pro-Brexit sentiment as the British government works on a deal to leave the European Union.

https://www.securityweek.com/pro-brexit-twitter-manipulation-continues


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


IID:     CVE-2019-5786

Title:     Google Chrome User After Free Arbitrary Code Execution Vulnerability

Vendor: Microsoft

Description: A use-after-free vulnerability exists in the FileReader component of Google Chrome. It could be exploited by unprivileged attackers to gain privileges on the Chrome web browser and to escape the sandbox to run arbitrary code.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-0187

Title:     Apache JMeter Remote Code Execution Vulnerability

Vendor: Apache

Description: An unauthenticated RCE is possible when JMeter is used in distributed mode. Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. Apache JMeter versions 4.0, 5.0 are vulnerable.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-1596

Title:     Cisco NX-OS Software Bash Shell Local Privilege Escalation Vulnerability

Vendor: Cisco

Description: A vulnerability exists in the Bash shell implementation for Cisco NX-OS Software. This could allow an authenticated, local attacker to escalate their privilege level to root due to incorrect permissions of a system executable. An attacker could exploit this vulnerability by authenticating to the device and entering a crafted command at the Bash prompt.

CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:     CVE-2019-1707

Title:     Cisco DNA Center Access Contract HTML Injection Vulnerability

Vendor: Cisco

Description: Cisco DNA Center Access Contract is exposed to an HTML-injection vulnerability that could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:     CVE-2019-0809

Title:     Microsoft Visual Studio Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Visual Studio C++ Redistributable Installer improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited the vulnerability could execute arbitrary code.

CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


ID:     CVE-2019-0603

Title:     Microsoft Windows TFTP Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that Windows Deployment Services TFTP Server handles objects in memory.Successful exploitation allows an attacker to remote code execution and take control of an affected system.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-0808, CVE-2019-0797

Title:     Microsoft Windows Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

CVSS v2 Base Score: 6.3 (AV:L/AC:H/Au:N/C:C/I:C/A:C)


ID:     CVE-2019-7816

Title:     Adobe ColdFusion Arbitrary File-Upload Vulnerability

Vendor: Adobe

Description: Adobe ColdFusion is exposed to an arbitrary file-upload vulnerability. An attacker could exploit this vulnerability to upload a malicious file and execute arbitrary code in the context of the running ColdFusion service.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES March 7 - 14:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f

MD5: 38de5b216c33833af710e88f7f64fc98

VirusTotal: https://www.virustotal.com/#/file/9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f/details

Typical Filename: SECOH-QAD.exe

Claimed Product: N/A

Detection Name: W32.Hacktool.22ei.1201



SHA 256: 225bb8a1bdcd0132a3624fde62f109a4d59056bc7418a7838b6ac0997127259b

MD5: f953dd9537961aa72648f39379b7ff51

VirusTotal: https://www.virustotal.com/#/file/225bb8a1bdcd0132a3624fde62f109a4d59056bc7418a7838b6ac0997127259b/details

Typical Filename: SOA.doc

Claimed Product: N/A

Detection Name: W32.225BB8A1BD-95.SBX.TG



SHA 256: 6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671

MD5: b23f736c46d9fa238b02c9eb0cea37cf

VirusTotal: https://www.virustotal.com/#/file/6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671/details

Typical Filename: CONFIGURETGN.EXE

Claimed Product: N/A

Detection Name: Win.Malware.Generic::in03.talos



SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393

MD5: 1a5a7532854ab45ac74b1c657fe47941

VirusTotal: https://www.virustotal.com/#/file/18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393/details

Typical Filename: helperamc.zip

Claimed Product: Advanced Mac Cleaner

Detection Name: W32.18042540B3-95.SBX.TG



SHA 256: 60c5f5f3b78b151fe6a01d4957ad536496b646e9d8288703d10fb8a03afb3b64

MD5: efcaf7a94501ad0c9a37f459a91e493f

VirusTotal: https://www.virustotal.com/#/file/60c5f5f3b78b151fe6a01d4957ad536496b646e9d8288703d10fb8a03afb3b64/details

Typical Filename: 1SOAJAN19_exe.bin

Claimed Product: MONARCHOMACHIC9

Detection Name: W32.60C5F5F3B7-100.SBX.T


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743