Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 28, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                    March 28, 2019 - Vol. 19, Num. 13


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES March 21 - 28

============================================================


TOP VULNERABILITY THIS WEEK: WordPress plugin vulnerabilities open sites to attack


******************** Sponsored By Unisys ********************


"Building a Zero Trust Model in the Cloud with Microsegmentation."  

Unisys experts will introduce concepts associated with the Zero Trust model in the cloud and show how Unisys Stealth(R) and Palo Alto Networks provide a unified platform to enhance system survivability and reduce the impact of potential threats.  Register:  https://www.sans.org/webcasts/building-zero-trust-model-cloud-microsegmentation-110225


============================================================

TRAINING UPDATE


-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019


-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019


-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019


-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training


Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends April 3.


https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - https://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training


SANS Mentor |  https://www.sans.org/mentor/about


Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap


https://www.sans.org/courses


https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) "How to Automate Compliance Gaps for Public Cloud" with John Pescatore.  Register:  https://www.sans.org/webcasts/automate-compliance-gaps-public-cloud-110320


2) "Simplifying Application Security with VMware AppDefense" with Dave Shackleford.  Learn More:  https://www.sans.org/webcasts/simplifying-application-security-vmware-appdefense-110585


3) Don't Miss "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks"  Register:  https://www.sans.org/webcasts/year-magecart-continuation-web-based-supply-chain-attacks-110595


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Two serious bugs in WordPress affect popular plugins

Description: WordPress patched two vulnerabilities in two of the most popular plugins available on the content management system. They both could allow an attacker to run extensions on top of affected websites. While WordPress has patched these bugs, the two plugins still appear to be downloaded often.

Reference: https://arstechnica.com/information-technology/2019/03/two-serious-wordpress-plugin-vulnerabilities-are-being-exploited-in-the-wild/

Snort SIDs: 49541 - 49543


Title: Trickbot dropping IcedID banking trojan

Description: Security researchers recently discovered that the IcedID banking trojan and the Trickbot dropper may be more closely related than once thought. Ties between the two malware families may even date back to six years ago, although they were discovered about a year apart. Researchers with IBM's X-Force say there's been a recent uptick in threat actors working together to deliver different kinds of banking trojans.

Reference: https://securityintelligence.com/the-business-of-organized-cybercrime-rising-Intergang-collaboration-in-2018/

Snort SIDs: 49544 - 49547, 49549 - 49551


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


A cellphone spyware seller left more than 95,000 private photos and 25,000 audio records on an unsecured server accessible to anyone on the internet.

https://motherboard.vice.com/en_us/article/7xnybe/hosting-provider-takes-down-spyware-mobiispy


Several tenants of a New York City apartment building are suing their landlord to remove keyless entry devices on their doors and replace them with physical locks. https://www.nytimes.com/2019/03/23/nyregion/keyless-apartment-entry-nyc.html


Chinese intelligence agencies are using LinkedIn to recruit foreign military spies.

https://www.cyberscoop.com/linkedin-china-spies-kevin-mallory-ron-hansen/


More than 100,000 GitHub pages contain publicly accessible authentication secrets, including API and cryptographic keys, with thousands more being leaked each day.

https://www.scmagazine.com/home/security-news/paper-leaked-authentication-secrets-rampant-across-github/


ASUS corrected an update on its laptops that may have inadvertently pushed malware known as the "ShadowHammer" backdoor to users' machines.

https://www.engadget.com/2019/03/26/asus-releases-fix-for-update-tool-malware-attack/


The latest iOS update patched 51 serious vulnerabilities, including one in an app that could have allowed an attacker to listen through an iPhone's microphone without the user's knowledge.

https://www.zdnet.com/article/ios-12-1-fixes-bug-that-granted-apps-hidden-access-to-the-microphone/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:       CVE-2019-9948

Title:     Python urllib Security Bypass Vulnerability

Vendor: Python

Description: Python is exposed to a security bypass vulnerability, where an attacker can use this vulnerability to perform further attacks. This issue leads to bypass certain security restrictions and perform unauthorized actions.

CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)


ID:     CVE-2019-9956

Title:     ImageMagick Stack Buffer Overflow Vulnerability

Vendor: ImageMagick

Description: ImageMagick is exposed to a stack-based buffer-overflow vulnerability. Attackers can exploit this issue to run arbitrary code and could lead to denial of service conditions.  

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)


ID:        CVE-2019-9797, CVE-2019-9798, CVE-2019-9799, CVE-2019-9802, CVE-2019-9803, CVE-2019-9804, CVE-2019-9805, CVE-2019-9806, CVE-2019-9807, CVE-2019-9809, CVE-2019-9808, CVE-2019-9789

Title:     Mozilla Firefox Multiple Security Vulnerabilities

Vendor: Mozilla Firefox

Description: Mozilla Firefox is exposed to multiple security vulnerabilities. These vulnerabilities can be used by attackers to bypass security restrictions, resulting in obtaining sensitive information and perform unauthorized actions.

CVSS v2 Base Score: 4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-9970

Title:     Signal Homograph Domain Spoofing Vulnerability

Vendor: Signal

Description: Signal is exposed to a domain-spoofing vulnerability because it fails to adequately handle homographs in international domain name domains. An attacker may leverage this issue to spoof a domain that visually resembles a legitimate domain. This may lead to a false sense of trust because the user may be presented with a URI of a seemingly trusted domain while interacting with the attacker's malicious site.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)


ID:     CVE-2019-9977

Title:     Tesla Unspecified Arbitrary Code Execution Vulnerability

Vendor: Tesla

Description: Tesla Model 3 is exposed to an unspecified arbitrary code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected device. The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.

CVSS v2 Base Score: 5.4 (AV:N/AC:M/Au:N/C:P/I:P/A:N)


ID:     CVE-2018-18065

Title:     Net-SNMP Remote Denial of Service Vulnerability

Vendor: Net-SNMP

Description: Net-SNMP is exposed to a remote denial of service vulnerability. An attacker may exploit this issue to cause the affected application to crash resulting in a denial of service condition.

CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)


ID:     CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024

Title:     PHP Information Disclosure and Heap Buffer Overflow Vulnerabilities

Vendor: PHP

Description: PHP is exposed to an information disclosure heap based buffer overflow vulnerability. Successfully exploiting these issues allow attackers to execute arbitrary code in the context of the affected application or obtain sensitive information. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-5787, CVE-2019-5788, CVE-2019-5789

Title:     Google Chrome Use After Free Vulnerability

Vendor: Google

Description: Google Chrome is exposed to user after free vulnerability in Canvas, FileAPI and WebMIDI. Successfully exploiting these issues allow attackers to execute arbitrary code in the context of the affected application or obtain sensitive information.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES March 21 - 28:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b

MD5: f22a024b4c98534e8ba7a1c03b0b6132

VirusTotal: https://www.virustotal.com/#/file/dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b/details

Typical Filename: unpacknw.zip

Claimed Product: N/A

Detection Name: Osx.Malware.Bpbw::agent.tht.talos


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 4958c38ba2d7def9ba44c5382f2c5a41c619d5a5eedfb8ac4697dbf75c306933

MD5: 6b62b380b8b14b261c5bfdfe7b017cdd

VirusTotal: https://www.virustotal.com/#/file/4958c38ba2d7def9ba44c5382f2c5a41c619d5a5eedfb8ac4697dbf75c306933/details

Typical Filename: csrs.exe

Claimed Product: Microsoft(R) Windows(R) Operating System

Detection Name: Win.Dropper.Shelma::1201


SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56

MD5: 4cf6cc9fafde5d516be35f73615d3f00

VirusTotal: https://www.virustotal.com/#/file/8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56/details

Typical Filename: ok.exe

Claimed Product: x6613x8BEDx8A00x7A0Bx5E8F

Detection Name: W32.Trojangen:TR.22ew.1201


SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044

MD5: b89b37a90d0a080c34bbba0d53bd66df

VirusTotal: https://www.virustotal.com/#/file/46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044/details

Typical Filename: u.exe

Claimed Product: Orgs ps

Detection Name: W32.GenericKD:Trojangen.22ek.1201


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 11200 Rockville Pike, Suite 200, North Bethesda, MD 20852