Learn InfoSec skills you can implement immediately! Six courses available in Houston - Oct. 28-Nov. 2.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 27, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

             June 27, 2019 - Vol. 19, Num. 26


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES June 20 - 27

============================================================


TOP VULNERABILITY THIS WEEK: Attackers exploit Firefox zero-day to deliver malware


********************* Sponsored By SANS ********************


More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,900 original computer security white papers in 110 different categories.  See for yourself:   http://www.sans.org/info/213440


============================================================

TRAINING UPDATE

 

-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019


-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through July 10 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) SANS Pen Test HackFest Summit - Our Call for Presentations is open! Submit a talk proposal: http://www.sans.org/info/213445


2) Keynotes announced for the inaugural SANS Supply Chain Cybersecurity Summit in Washington, DC!  Summit agenda:  http://www.sans.org/info/213450


3) New to cybersecurity? Looking to improve Pentesting, Forensic or Cyber Defense skills? Level Up with SANS! http://www.sans.org/info/213455


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Netwire malware delivered through Firefox vulnerability

Description: Attackers are exploiting a now-patched Mozilla Firefox vulnerability to deliver the Netwire malware. At the time of first exploitation, there was no fix for the bug. Netwire uses two separate functions to persist -- once as a launch agent and again as a login item. New Snort rules prevent the malware from downloading its final payload.

Reference: https://duo.com/decipher/firefox-0-day-used-to-deliver-netwire-mac-malware

Snort SIDs: 50498, 50500

 

Title: Cisco patches critical bugs in DNA Center, SD-WAN

Description: Cisco has patched a slew of critical and high-severity flaws in its DNA Center and SD-WAN. In all, the company issued fixes for 25 vulnerabilities last week across a variety of its products. Two of the most severe bugs exist on access ports necessary for Cisco Digital Network Architecture (DNA) Center. There is another critical vulnerability in SD-WAN's command line interface.

Reference: https://threatpost.com/cisco-dna-center-critical-flaw/145849/

Snort SIDs: 50467, 50469 - 50472, 50485 - 50489, 50492


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


For the second time in just over a week, a Florida city agreed to pay the attackers behind a ransomware attack in exchange for the recovery of their data.

https://www.cbsnews.com/news/ransomware-attack-lake-city-florida-pay-hackers-ransom-computer-systems-after-riviera-beach/


The U.S. Department of Homeland Security released a warning that wiper cyber attacks from Iranian threat groups are on the rise as tensions increase between Iran and America.

https://arstechnica.com/information-technology/2019/06/dhs-cyber-director-warns-of-surge-in-iranian-wiper-hack-attacks/


The head of Instagram again denied the theory that Instagram and Facebook listen in on users' conversations and then deliver ads based on that data.

https://www.insider.com/instagram-facebook-listening-on-smartphones-2019-6


A lawsuit against Facebook over a massive data breach can move forward, a federal appeals court ruled this week. The attack in question resulted in 30 million users having their login information compromised.

https://www.bloomberg.com/news/articles/2019-06-24/facebook-must-face-lawsuit-over-29-million-user-data-breach


The DanaBot banking trojan now has a ransomware module. So far, the variant has targeted users in Italy and Poland.

https://www.bleepingcomputer.com/news/security/danabot-banking-trojan-upgraded-with-non-ransomware-module/


Oracle patched a critical vulnerability in WebLogic that attackers could exploit remotely without authentication.

https://threatpost.com/oracle-warns-of-new-actively-exploited-weblogic-flaw/145829/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-12874

Title:    VideoLAN VLC Remote Code Execution Vulnerability

Vendor:    VideoLAN

Description: VideoLAN VLC Media Player is exposed to a remote code execution vulnerability. An issue was discovered in "zlib_decompress_extra" in "modules/demux/mkv/util.cpp" in VideoLAN VLC media player vulnerable versions. An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

 

ID:        CVE-2019-1875

Title:    Cisco Prime Service Catalog Cross Site Scripting Vulnerability

Vendor:    Cisco

Description: Cisco Prime Service Catalog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

CVSS v2 Base Score: 3.5(AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-12280

Title:    PC-Doctor for Windows DLL Loading Arbitrary Code Execution Vulnerability

Vendor:    PC-Doctor

Description: PC-Doctor for Windows is exposed to an arbitrary code execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the affected application.

CVSS v2 Base Score:    6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-1874

Title:    Cisco Prime Service Catalog Cross Site Request Forgery Vulnerability

Vendor:    Cisco

Description: Cisco Prime Service Catalog is exposed to an cross site request forgery vulnerability. The vulnerability is due to insufficient CSRF protection mechanisms on the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.

CVSS v2 Base Score:    6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-9701

Title:    Symantec DLP Cross Site Scripting Vulnerability

Vendor:    Symantec

Description: Symantec DLP is exposed to a cross site scripting vulnerability because it fails to properly sanitize user supplied input. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie based authentication credentials and launch other attacks.

CVSS v2 Base Score:    3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-12817

Title:    Linux kernel Local Privilege Escalation Vulnerability

Vendor:    Linux

Description: Linux Kernel is prone to a local privilege escalation vulnerability. A local attacker can exploit this issue to gain elevated privileges..

CVSS v2 Base Score:    6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-2729

Title:    Oracle WebLogic Server Deserialization Remote Code Execution Vulnerability

Vendor:    Oracle

Description: Oracle WebLogic Server is exposed to a remote code execution vulnerability. A remote attacker can leverage this issue to execute arbitrary code within the context of the affected system. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-12881

Title:  Linux Kernel Denial of Service Vulnerability

Vendor: Linux

Description: Linux Kernel is exposed to a denial of service vulnerability. Attackers can exploit this issue to cause denial of service conditions. Due to the nature of this issue, arbitrary code execution may be possible. "i915_gem_userptr_get_pages" in "drivers/gpu/drm/i915/i915_gem_userptr.c" in vulnerable Linux kernel versions allows local users to cause a denial of service or possibly have unspecified other impact via crafted ioctl calls to "/dev/dri/card0".

CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES June 20 - 27:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/#/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: wup.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: f118e52a73227b85fbb0cb7d202c3753916e518c516286c441a2dc92ede1f023

MD5: 4f551cb9a7c7d24104c19ac85e55defe

VirusTotal: https://www.virustotal.com/gui/file/f118e52a73227b85fbb0cb7d202c3753916e518c516286c441a2dc92ede1f023/details

Typical Filename: watchdog.exe

Claimed Product: N/A

Detection Name: W32.Trojan:Trojangen.22hu.1201


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743