Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

April 4, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                April 4, 2019 - Vol. 19, Num. 14


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES March 28 - April 4

============================================================


TOP VULNERABILITY THIS WEEK: Huawei software vulnerability opens Windows systems to attacks


**************** Sponsored By AWS Marketplace **************


AWS Marketplace Series: Threat Modeling in the Cloud: Securing Web Apps in AWS. SANS instructor Shaun McCullough, with AWS solutions architect manager David Aiken, on how to seamlessly integrate risk modeling into DevOps to secure customer-facing web apps. Register here for Webcast, April 25, 2 PM ET. http://www.sans.org/info/211270


============================================================

TRAINING UPDATE

 

-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019


-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends April 17.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) ICYMI SANS Automation & Integration Security Briefing: SOARing to New Heights - Using Orchestration & Automation Tools in the Way They're Intended. http://www.sans.org/info/211515


2) Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. Learn More:  http://www.sans.org/info/211520


3) Register for this webcast to learn how to take back control of your DNS traffic and prevent threats. http://www.sans.org/info/211525


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP



Title: Huawei PCManager could allow attackers to alter Windows kernel

Description: Microsoft recently discovered a serious vulnerability in Huawei's PCManager that could allow attackers to alter the Windows 10 kernel in Huawei's line of MateBook machines. The Chinese tech company patched the bug in January, but it was just disclosed last week. An attacker could exploit this vulnerability by tricking the user into running a malicious application.

Reference: https://www.zdnet.com/article/microsoft-windows-10-devices-open-to-full-compromise-from-huawei-pc-driver/

Snort SIDs: 49628 - 49632



Title: Cisco discloses several vulnerabilities in IOS XE

Description: Cisco released a slew of patches last week to fix 24 vulnerabilities in its IOS operating system. The company also warned customers that two routers in its RV line are open to attack, and no fix is available as of yet. Fifteen of the bugs exist on IOS XE, which runs on Cisco networking gear such as switches, routers and controllers.

Reference: https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/

Snort SIDs: 49606 - 49616, 49588 - 49591


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Attackers collected credit card information from Buca di Beppo restaurants for nearly a year, eventually selling the data on the dark web.

https://krebsonsecurity.com/2019/03/a-month-after-2-million-customer-cards-sold-online-buca-di-beppo-parent-admits-breach/


Australia and Singapore adopted new laws that crack down on social media sites that fail to remove violent and gruesome content quickly.

https://www.bloomberg.com/news/articles/2019-03-30/australia-to-crack-down-on-live-streaming-of-violent-crimes


A new phishing campaign specifically targets Verizon cell phone customers.

https://blog.lookout.com/mobile-phishing-verizon


Google fixed three critical remote code execution vulnerabilities in Android devices as part of its monthly security update.

https://threatpost.com/googles-april-android-security-bulletin-warns-of-3-critical-bugs/143357/


Facebook CEO Mark Zuckerberg pushed for tougher privacy laws in the U.S., urging the federal government to become more involved in data privacy and election security.

https://www.cnbc.com/2019/03/30/mark-zuckerberg-calls-for-tighter-internet-regulations-we-need-a-more-active-role-for-governments.html


Iran is being blamed for a major cyber attack against infrastructure in the U.K. that took place in December.

https://news.sky.com/story/iran-conducted-major-cyber-assault-on-key-uk-infrastructure-11676686


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-7524

Title:    Dovecot Stack Buffer Overflow Vulnerability

Vendor:    Dovecot

Description: A a stack-based buffer-overflow vulnerability exists in the way a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.

CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2018-18281

Title:    Linux Kernel Local Security Bypass Vulnerability

Description: Linux kernel is exposed to a local security bypass vulnerability which can be leveraged to bypass certain security restrictions and perform unauthorized actions.

CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2018-17182

Title:    Linux Kernel Local Privilege Escalation Vulnerability

Description: Linux kernel is exposed to a local privilege escalation vulnerability that exists in a way an attacker can trigger a use-after-free via certain thread creation, map, unmap, invalidation, and dereference operations.

CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-5518

Title:    VMware Workstation Remote Code Execution Vulnerability

Vendor:    VMWare

Description: VMware ESXi contain an out-of-bounds read or write vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). Exploitation of this issue may allow a guest to execute code on the host.

CVSS v2 Base Score: 4.1 (AV:L/AC:M/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-10649

Title:    ImageMagick Denial of Service Vulnerability

Vendor:    ImageMagick

Description: ImageMagick is exposed to a memore leak in the function SVGKeyValuePairs of coders/svg.c, which allows an attacker to cause a denial of service via a crafted image file.

CVSS v2 Base Score:  4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)


ID:        CVE-2018-18065

Title:    Net-SNMP CVE-2018-18065 Remote Denial of Service Vulnerability

Vendor:    Net-SNMP

Description: Net-SNMP is exposed to a remote denial of service vulnerability. An attacker may exploit this issue to cause the affected application to crash resulting in a denial of service condition.

CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)


ID:        CVE-2018-7600

Title:    TIBCO Data Science HTML injection vulnerability

Vendor:    TIBCO

Description: TIBCO Data Science products are exposed to an HTML injection vulnerability because it fails to sanitize user-supplied input. Successful exploits may allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.

CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-10044

Title:    Telegram Homograph Domain Spoofing Vulnerability

Vendor:    Telegram

Description:  Telegram Desktop is vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


=========================================================


MOST PREVALENT MALWARE FILES March 28 - April 4:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: d98edcaf8acdd135b38ad5d6ce503e59868555f5acb6aaa95017ec758a6603ac

MD5: a7608ce0baea081df610eb9accb4400e

VirusTotal: https://www.virustotal.com/#/file/d98edcaf8acdd135b38ad5d6ce503e59868555f5acb6aaa95017ec758a6603ac/details

Typical Filename:

emotet_e1_d98edcaf8acdd135b38ad5d6ce503e59868555f5acb6aaa95017ec758a6603ac_2019-03-26__175503.exe_

Claimed Product: Advanced PDF Converter

Detection Name: W32.d98edcaf8a.Malspam.MRT.Talos


SHA 256: ec604bc4c6020b69868f14ea05295ac7c27e0ec01c288657199d8917850f3443

MD5: 97911a1da380f874393cf15982c6b1b9

VirusTotal: https://www.virustotal.com/#/file/ec604bc4c6020b69868f14ea05295ac7c27e0ec01c288657199d8917850f3443/details

Typical Filename: spoolsv.exe

Claimed Product: Microsoft(R) Windows(R) Operating System

Detection Name: W32.GenericKD:Trojan.22co.1201


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56

MD5: 4cf6cc9fafde5d516be35f73615d3f00

VirusTotal: https://www.virustotal.com/#/file/8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56/details

Typical Filename: max.exe

Claimed Product: x6613x8BEDx8A00x7A0Bx5E8F

Detection Name: Win.Dropper.Armadillo::1201


SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044

MD5: b89b37a90d0a080c34bbba0d53bd66df

VirusTotal: https://www.virustotal.com/#/file/46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044/details

Typical Filename: u.exe

Claimed Product: Orgs ps

Detection Name: W32.GenericKD:Trojangen.22ek.1201


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743