Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

May 2, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                 May 2, 2019 - Vol. 19, Num. 18


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES April 25 - May 2

============================================================


TOP VULNERABILITY THIS WEEK: Attackers exploiting Oracle vulnerability in the wild


*********** Sponsored By Fidelis Cybersecurity  ***********


When it comes to cybersecurity, you can only defend what you can see. Organizations continue to suffer breaches, oftentimes because they do not have continuous, real-time visibility of all their critical assets.  Register for the Fidelis webcast "Gaining a Decisive Advantage Through Terrain Based Cyber Defense" to learn more:   http://www.sans.org/info/212615


============================================================

TRAINING UPDATE

 

-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends May 15.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Attend the inaugural SANS Enterprise Defense Summit in Redondo Beach, CA June 3-4.  http://www.sans.org/info/212620


2) Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212625


3) How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card:

http://www.sans.org/info/212630


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Oracle vulnerability opens users to remote code execution attacks

Description: Oracle released an out-of-band pouch for WebLogic servers that could allow an attacker to carry out remote code execution attacks. Security researchers discovered the bug being exploited earlier this month by attackers in the wild. Oracle assigned the bug CVE-2019-2725 and gave it a CVSS score of 9.8/10, highlighting how serious the issue is. WebLogix server owners are urged to update as soon as possible.

Reference: https://www.zdnet.com/article/new-oracle-weblogic-zero-day-discovered-in-the-wild/

Snort SIDs: 49942, 49943


Title: JasperLoader targets Europe with Gootkit banking trojan

Description: A loader known as "JasperLoader" has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries, with a particular focus on Germany and Italy. JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process.

Reference: https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html

Snort SIDs: 49914, 49915


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Docker says an attacker breached one of its Hub databases and could have stolen sensitive information from nearly 190,000 accounts.

https://motherboard.vice.com/en_us/article/7xgbzb/docker-hub-breach-hackers-stole-private-keys-tokens


Norwegian aluminum producer Norsk Hydro said a ransomware attack earlier this year cost the company the equivalent of $52 million in the first quarter.

https://www.reuters.com/article/norsk-hydro-outlook/update-1-norsk-hydro-expects-cyber-attack-costs-of-nearly-52-mln-in-q1-idUSL5N22C12R


Apple removed several parental control apps from its app store due to what the company called "highly invasive" mobile device management software.

https://www.securityweek.com/apple-claims-parental-control-apps-removed-due-use-mdm


A recent study found that the vast majority of U.S. presidential candidates campaigns for the 2020 election are open to an email-based attack.

https://finance.yahoo.com/news/most-2020-u-presidential-campaigns-120000599.html


An unguarded Microsoft-hosted database contains sensitive information on nearly 80 million U.S. households -- and it's unclear who owns it.

https://www.engadget.com/2019/04/29/database-exposes-80-million-us-households/


Facebook agreed to take part in a study of how social media influences American elections, opening up its internal data to independent researchers.

https://www.niemanlab.org/2019/04/here-are-the-social-media-and-democracy-research-projects-facebook-is-giving-data-to/


Messaging company Slack warned it could be the target of large-scale cyber attacks ahead of its IPO filing.

https://securityboulevard.com/2019/04/slack-to-investors-we-might-be-the-target-of-organized-crime-nation-sponsored-hackers/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-2725

Title:    Oracle WebLogic Server Remote Code Execution Vulnerability

Vendor:    Oracle

Description: A remote code execution vulnerability exists in Oracle Weblogic Sever. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. The flaw exists in the wls9_async_response package where the components wls9_async and wls-wsat trigger this vulnerability. An attacker can input a serialized maliciously crafted file. Upon processing, this file is deserialised and can execute the malicious content inside it with elevated privileges. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-11597

Title:    ImageMagick Multiple Heap Buffer Overflow Vulnerabilities

Vendor:    ImageMagick

Description: ImageMagick is exposed to multiple heap based bufferoverflow vulnerabilities. An attacker can exploit this issue to cause denial-of-service condition and obtain sensitive information. In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.

CVSS v2 Base Score:    5.8 (AV:N/AC:M/Au:N/C:P/I:N/A:P)


ID:        CVE-2019-3398

Title:    Atlassian Confluence Server and Confluence Data Center Directory Traversal Vulnerability

Vendor:    Atlassian

Description: Atlassian Confluence Server and Confluence Data Center are exposed to a directory traversal vulnerability because the application fails to sufficiently sanitize user supplied input. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

CVSS v2 Base Score:    9.0  (AV:N/AC:L/Au:S/C:C/I:C/A:C)


ID:        CVE-2019-3844

Title:    systemd Local Privilege Escalation Vulnerability

Vendor:    systemd

Description: systemd is exposed to a local privilege escalation vulnerability.  An attacker may exploit this issue to gain elevated privileges. It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

CVSS v2 Base Score:    3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-6467

Title:    ISC BIND Remote Denial of Service Vulnerability

Vendor:    ISC

Description: ISC BIND is exposed to a remote denial of service vulnerability. A flaw was found in the way "nxdomain-redirect" feature was implemented in bind.An attacker could use this flaw on a server with a vulnerable configuration to cause bind to exit, denying service to other clients.

CVSS v2 Base Score:    6.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)


ID:        CVE-2018-2004

Title:    IBM Jazz Reporting Service Cross Site Scripting Vulnerability

Vendor:    IBM

Description: IBM Jazz Reporting Service is exposed to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS v2 Base Score:    9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C)


ID:        CVE-2019-11035

Title:    PHP Multiple Heap Buffer Overflow Vulnerabilities

Vendor:    PHP

Description: PHP is exposed to multiple heap based buffer overflow vulnerabilities. When processing certain files, PHP EXIF extension can be caused to read past allocated buffer in exif_process_IFD_TAG function. An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed attacks would result in denial of service conditions.

CVSS v2 Base Score:     6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)


ID:        CVE-2019-11244

Title:    Kubernetes Local Unauthorized Access Vulnerability

Vendor:    Kubernetes

Description: Kubernetes is exposed to a local unauthorized access vulnerability. In Kubernetes, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation. A local attacker can exploit this issue to gain unauthorized access to the affected application.

CVSS v2 Base Score:     1.9 (AV:L/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-9208

Title:    Wireshark Multiple Denial of Service Vulnerabilities

Vendor:    Wireshark

Description: Wireshark is exposed to multiple denial of service vulnerabilities. In Wireshark, the TCAP dissector could crash. This was addressed in epan/dissectors/asn1/tcap/tcap.cnf by avoiding NULL pointer dereferences. An attacker can exploit these issues by injecting a malformed packet onto the wire or by convincing someone to read a malformed 'pcap' file.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)


=========================================================


MOST PREVALENT MALWARE FILES April 25 - May 2:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir

Claimed Product: N/A

Detection Name: W32.Generic:Gen.21ij.1201


SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed

MD5: 6372f770cddb40efefc57136930f4eb7

VirusTotal: https://www.virustotal.com/#/file/d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed/details

Typical Filename: maftask.zip

Claimed Product: N/A

Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743