Learn InfoSec skills you can implement immediately! Six courses available in Houston - Oct. 28-Nov. 2.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

April 11, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

               April 11, 2019 -  Vol. 19, Num. 15


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES April 4 - 11

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft releases monthly security update, fixes bugs in variety of products


*************** Sponsored By AWS Marketplace ****************


AWS Marketplace Series: Threat Modeling in the Cloud: Securing Web Apps in AWS. SANS instructor Shaun McCullough, with AWS solutions architect manager David Aiken, on how to seamlessly integrate risk modeling into DevOps to secure customer-facing web apps. Register here for Webcast, April 25, 2 PM ET. http://www.sans.org/info/211726


============================================================

TRAINING UPDATE

 

-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019


-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends April 17.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Register to be one of the first to experience MGT516: Managing Security Vulnerabilities: Enterprise and Cloud - a new SANS course developed for CISOs, cybersecurity managers, and aspiring information security leaders.  Learn More:   http://www.sans.org/info/211731


2) What challenges do you face with incidents and breaches? Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card.

http://www.sans.org/info/211746


3) Have you visited the SANS blog page?  Take a look at what's being talked about:  http://www.sans.org/info/211751


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft patches 74 vulnerabilities, 14 critical

Description: Microsoft released its monthly security update Tuesday, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated "critical" and 58 that are considered "important." This release also includes a critical advisory covering a security update to Adobe Flash Player. This month's security update covers security issues in a variety of Microsoft's products, including the Chakra Scripting Engine, Microsoft Office and Windows 10.

Reference: https://blog.talosintelligence.com/2019/04/microsoft-patch-tuesday-april-2019.html

Snort SIDs: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755



Title: Adobe fixes vulnerabilities in Flash Player, Acrobat

Description: Adobe patched vulnerabilities in 15 of its products this week as part of its monthly security update. The vulnerabilities disclosed include critical memory corruption bugs in Shockwave, as well as remote code execution vulnerabilities in Acrobat Reader.

Reference: https://www.bleepingcomputer.com/news/security/adobe-releases-april-2019-security-updates-for-flash-shockwave-and-more/

Snort SIDs: 48293, 49294


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Facebook removed dozens of malicious groups on the site after they were reported by Cisco Talos. Members of these groups promised to sell a variety of illegal cyber activity, including carding and spamming.

https://blog.talosintelligence.com/2019/04/hiding-in-plain-sight.html



The OceanLotus group has produced a new malware targeting Mac users, this time making it more difficult to detect.

https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/



A new variant of the Mirai malware is targeting more processor architectures than before, allowing it to infect a larger number of internet-of-things devices.

https://www.securityweek.com/new-mirai-variant-targets-more-processor-architectures



Researchers were able to trick the Galaxy S10's fingerprint reader with a 3-D printed model.

https://threatpost.com/samsung-galaxy-s10-fingerprint-sensor-duped-with-3d-print/143624/



The Gustuff banking trojan recently began targeting users in Australia, backpacking off the "ChristinaMorrow" text message spam scam.

https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html



Verizon patched a vulnerability in their wireless routers that could have allowed attackers to corrupt the machines and obtain root privileges.

https://www.techrepublic.com/article/vulnerability-in-verizon-fios-quantum-gateway-allows-attackers-to-gain-root-privileges/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-3396

Title:    Atlassian Confluence Server Remote Code Execution Vulnerability

Vendor:    Atlassian

Description: A vulnerablity exists in the Widget Connector macro in Atlassian Confluence Server that allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. On successful exploitation it allows remote attackers to execute arbitrary commands on the system.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-0211

Title:    Apache HTTP Server Privilege Escalation From Modules Scripts

Vendor:    Apache

Description: A privilege escalation vulnerablity exists in Apache HTTP Server with MPM event, worker or prefork code executing in less-privileged child processes. Successful exploitation could lead to arbitrary code execution with the privileges of the parent process (usually root) by manipulating the scoreboard.

CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)


ID:        CVE-2019-10261

Title:    CentOS Web Panel Multiple HTML Injection Vulnerabilities

Vendor:    CentOS

Description: CentOS Web Panel is exposed to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. Successful exploits allows attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.

CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-0841

Title:    Microsoft Windows Elevation of Privilege Vulnerability

Vendor:    Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v2 Base Score:    6.2 (AV:L/AC:M/Au:S/C:P/I:C/A:C)


ID:        CVE-2019-0803

Title:    Microsoft Windows Win32k Elevation of Privilege Vulnerability

Vendor:    Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v2 Base Score:    6.0 (AV:L/AC:H/Au:S/C:C/I:C/A:C)


ID:        CVE-2019-9696

Title:    Symantec VIP Enterprise Gateway Cross Site Scripting Vulnerability

Vendor:    Symantec

Description: Symantec VIP Enterprise Gateway is exposed to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-7524

Title:    Dovecot Stack Buffer Overflow Vulnerability

Vendor:    Dovecot

Description: Dovecot is exposed to a stack based buffer overflow vulnerability. An attacker may exploit this issue to run arbitrary code within the context of the affected application. Failed exploit attempts may result in denial of service conditions.

CVSS v2 Base Score:  7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2018-10877

Title:    Linux Kernel Local Denial of Service Vulnerability

Vendor:    Linux

Description: Linux kernel ext4 filesystem is exposed to an out of bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. An attacker can exploit this issue to cause a denial of service condition.

CVSS v2 Base Score:    6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2018-1731, CVE-2018-1913

Title:    IBM Rational DOORS Next Generation Multiple Cross Site Scripting Vulnerabilities

Vendor:    IBM

Description: IBM Rational DOORS Next Generation is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie based authentication credentials and launch other attacks.

CVSS v2 Base Score:    3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-1827

Title:    Cisco Small Business RV320 and RV325 Routers Cross Site Scripting Vulnerability

Vendor:    Cisco

Description: A vulnerability exists in the Online Help web service of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers, that could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service. The vulnerability exists because the Online Help web service of an affected device insufficiently validates user supplied input. An attacker could exploit this vulnerability by persuading a user of the service to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected service or access sensitive browser based information


=========================================================


MOST PREVALENT MALWARE FILES April 4 - 11:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP



SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed

MD5: 6372f770cddb40efefc57136930f4eb7

VirusTotal: https://www.virustotal.com/#/file/d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed/details

Typical Filename: maftask.zip

Claimed Product: N/A

Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd



SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos



SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56

MD5: 4cf6cc9fafde5d516be35f73615d3f00

VirusTotal: https://www.virustotal.com/#/file/8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56/details

Typical Filename: max.exe

Claimed Product: x6613x8BEDx8A00x7A0Bx5E8F

Detection Name: Win.Dropper.Armadillo::1201



SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044

MD5: b89b37a90d0a080c34bbba0d53bd66df

VirusTotal: https://www.virustotal.com/#/file/46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044/details

Typical Filename: cab.exe

Claimed Product: Orgs ps

Detection Name: W32.GenericKD:Trojangen.22ek.1201



SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd

MD5: 147ba798e448eb3caa7e477e7fb3a959

VirusTotal: https://www.virustotal.com/#/file/790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd/details

Typical Filename: ups.exe

Claimed Product: TODO: <x4EA7x54C1x540D>

Detection Name: W32.Variant:XMRig.22fc.1201


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743