Learn InfoSec skills you can implement immediately! Six courses available in Houston - Oct. 28-Nov. 2.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

April 25, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            April 25, 2019 - Vol. 19, Num. 17


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES April 17 - 24

============================================================


TOP VULNERABILITY THIS WEEK: Sea Turtle campaign targets well-known DNSs


********************* Sponsored By SANS ********************


Attend SANS Enterprise Defense Summit in Redondo Beach, CA, June 3-4

Explore attack emulation strategies, incident response techniques, and available tools that can be deployed at scale. Through in-depth presentations and panel discussions, top experts will present tools, tactics, and procedures that provide real value and can be deployed within enterprise environments. http://www.sans.org/info/212255


============================================================

TRAINING UPDATE

 

-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off your OnDemand or vLive course. Offer ends May 1.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) ICYMI " The Continuation of Web-based Supply Chain Attacks" http://www.sans.org/info/212240


2) How is your organizations responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/212245


3) What challenges do you face with incidents and breaches? Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card.

http://www.sans.org/info/212250


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Sea Turtle campaign highlights dangers of DNS hijacking

Description: Cisco Talos discovered a new cyber threat campaign called "Sea Turtle," which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. The investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. Talos assesses with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.

Reference: https://blog.talosintelligence.com/2019/04/seaturtle.html

Snort SIDs: 2281, 31975 - 31978, 31985, 32038, 32039, 32041 - 32043, 32069, 32335, 32336, 41909, 41910, 43424 - 43432, 44531, 46897, 46316


Title: Cisco discloses 31 vulnerabilities, including some critical

Description: Cisco released advisories for 31 vulnerabilities last week, including "critical" patches for its IOS and IOS XE Software Cluster Management and IOS software for the Cisco ASR 9000 series of routers. Other vulnerabiliites also deal with Cisco Wireless LAN Controllers. If unpatched, an attacker could exploit these vulnerabilities to carry out denial-of-service attacks or gain the ability to remotely execute code.

Reference: https://www.networkworld.com/article/3390159/cisco-warns-wlan-controller-9000-series-router-and-iosxe-users-to-patch-urgent-security-holes.html

Snort SIDs: 49858, 49859, 49866, 49867, 49879


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Facebook says it may have "unintentionally uploaded" 1.5 million users' email contacts without their permission.

https://www.usatoday.com/story/tech/news/2019/04/18/facebook-1-5-million-users-email-contacts-uploaded-unintentionally-without-permission/3505556002/


The source code of the Carbanak malware began appearing on VirusTotal this week.

https://www.securityweek.com/carbanak-source-code-discovered-virustotal


The U.S. says a cyber attack against Japan could be considered an act of war under a security agreement between the two countries.

https://qz.com/1600574/a-cyber-attack-in-japan-could-now-bring-the-us-into-war/


Government leaders from Singapore say a recent string of data leaks and cyber attacks will not prevent the country from moving forward in building what it calls a "Smart Nation."

https://www.bloomberg.com/news/articles/2019-04-20/security-breaches-won-t-derail-singapore-s-tech-push-minister


A recent study found that, in the U.K., the the password "123456" was the most commonly among users who were breached last year.

https://www.bbc.com/news/technology-47974583


The Weather Channel was taken off-air for more than an hour last week due to a ransomware attack. The FBI launched an investigation into the attack.

https://www.theverge.com/2019/4/19/18507869/weather-channel-ransomware-attack-tv-program-cable-off-the-air


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        Cve-2019-3799

Title:    Spring Cloud Config Directory Traversal Vulnerability

Vendor:    Spring

Description: Spring Cloud Config is exposed to a Directory Traversal Vulnerability because the vulnerable versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. Successful exploitation of this vulnerability may allow a malicious user, or attacker, to send a request using a specially crafted URL that can lead a directory traversal attack.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-11387

Title:    OWASP ModSecurity Core Rule Set (CRS) Remote Denial of Service Vulnerability

Description: OWASP ModSecurity Core Rule Set (CRS) is exposed to a remote denial of service vulnerability. An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf that allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators.

CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)


ID:        CVE-2019-1777

Title:    Cisco Registered Envelope Service HTML Injection Vulnerability

Vendor:    Cisco

Description: Cisco Registered Envelope Service is exposed to an HTML injection vulnerability because it fails to sanitize user supplied input. A vulnerability in the web-based interface of the Cisco Registered Envelope Service could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against another user of the service. The vulnerability is due to insufficient validation of user supplied input by the web-based interface of the affected software. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.

CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-1792

Title:    Cisco Umbrella Cross Site Scripting Vulnerability

Vendor:    Cisco

Description: Cisco Umbrella is exposed to a cross site scripting vulnerability because it fails to properly sanitize user supplied input. A vulnerability in the URL block page of Cisco Umbrella could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user in a network protected by Umbrella. The vulnerability is due to insufficient validation of input parameters passed to that page. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-4012

Title:    Multiple IBM Products SQL Injection Vulnerability

Vendor:    IBM

Description: Multiple IBM Products are prone to an SQL injection vulnerability because it fails to sufficiently sanitize user supplied data before using it in an SQL query. IBM BigFix WebUI Profile Management and Software Distribution are vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-10691

Title:    Dovecot Denial of Service Vulnerability

Vendor:    Dovecot

Description: Dovecot is exposed to a remote denial of service vulnerability. A flaw was found in the JSON encoder in dovecot, which an attacker could use to crash the application via usage of invalid UTF-8 characters in the login name during authentication or by using invalid UTF-8 sequence in email when OX push notification driver is enabled. Attackers can exploit this issue to crash the affected application, denying service to legitimate users.

CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)


ID:        CVE-2019-10893

Title:    CentOS Web Panel HTML Injection Vulnerability

Vendor:    CentOS

Description: CentOS Web Panel is exposed to an HTML injection vulnerability because it fails to sufficiently sanitize user-supplied input. CentOS-WebPanel.com (aka CWP) CentOS Web Panel is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.

CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-0859

Title:    Microsoft Windows Win32k Local Privilege Escalation Vulnerability

Vendor:    Microsoft

Description: Microsoft Windows is exposed to a local privilege escalation vulnerability. An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. An attacker can exploit this issue to execute arbitrary code with elevated privileges. This CVE ID is unique from CVE-2019-0685, CVE-2019-0803.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-9208, CVE-2019-9209, CVE-2019-9214

Title:    Wireshark Multiple Denial of Service Vulnerabilities

Vendor:    Wireshark

Description: Wireshark is exposed to multiple denial of service vulnerabilities. An attacker can exploit these issues by injecting a malformed packet onto the wire or by convincing someone to read a malformed 'pcap' file. This was addressed in epan/dissectors/asn1/tcap/tcap.cnf by avoiding NULL pointer dereferences.

Attackers can exploit these issues to crash the affected application, denying service to legitimate users.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)


ID:        CVE-2019-11035, CVE-2019-11034

Title:    PHP Multiple Heap Buffer Overflow Vulnerabilities

Vendor:    PHP

Description: PHP is exposed to multiple heap based buffer overflow vulnerabilities. When processing certain files, PHP EXIF extension can be caused to read past allocated buffer in exif_iif_add_value function. An attacker can exploit these issues to execute arbitrary code in the context of the application. This may lead to information disclosure or crash.

CVSS v2 Base Score:    6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)


=========================================================


MOST PREVALENT MALWARE FILES April 17 - 24:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56

MD5: 4cf6cc9fafde5d516be35f73615d3f00

VirusTotal: https://www.virustotal.com/#/file/8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56/details

Typical Filename: max.exe

Claimed Product: x6613x8BEDx8A00x7A0Bx5E8F

Detection Name: Win.Dropper.Armadillo::1201


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir

Claimed Product: N/A

Detection Name: W32.Generic:Gen.21ij.1201


SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044

MD5: b89b37a90d0a080c34bbba0d53bd66df

VirusTotal: https://www.virustotal.com/#/file/46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044/details

Typical Filename: u.exe

Claimed Product: Orgs ps

Detection Name: W32.GenericKD:Trojangen.22ek.1201


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743