Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

August 15, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            August 15, 2019 - Vol. 19, Num. 33


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Aug. 8 - 15

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft discloses more than 90 vulnerabilities as part of Patch Tuesday


*************** Sponsored By AWS Marketplace ***************


AWS Education Series: Building a Threat Detection Strategy in AWS. In this webcast, SANS Analyst David Szili explains the keys to detecting threats in the AWS cloud and presents a use case to demonstrate best practices. Learn which AWS native tools are most useful for continuous monitoring, detection and event management. August 22, 2 PM ET. http://www.sans.org/info/213920


============================================================

TRAINING UPDATE

 

-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019


-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019


-- SANS OnDemand and vLive Training

Get a 10.5" iPad Air with Smart Keyboard, a Surface Go, or Take $300 off through August 21 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webcast August 20 at 1 PM ET: Focus On People, Process, and Technology to Take Your SOC to the Next Level. Register http://www.sans.org/info/213925


2) What challenges do you face with implementing endpoint security in your organization? Take this SANS survey: http://www.sans.org/info/213930


3) See how new intelligence, analysis and techniques can more accurately detect hidden and destructive objects in this upcoming webcast: http://www.sans.org/info/213935


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: 31 critical vulnerabilities addressed in latest Microsoft security update

Description: Microsoft released its monthly security update Tuesday, disclosing more than 90 vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated "critical," 65 that are considered "important" and one "moderate." This month's security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine.

Reference: https://blog.talosintelligence.com/2019/08/microsoft-patch-tuesday-aug-2019.html

Snort SIDs: 35190, 35191, 40851, 40852, 45142, 45143, 50936 - 50939, 50969 - 50974, 50987, 50988, 50940, 50941, 50998, 50999, 51001 - 51006 (Written by Cisco Talos analysts)

 

Title: Cisco releases security patches for multiple products, including high-severity bugs in WebEx Teams

Description: Cisco released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit the more critical bugs to take control of an affected system. Some of the most severe vulnerabilities exist in Cisco WebEx Network Recording for Microsoft Windows and Cisco Webex Player for Windows. These bugs, identified across five different CVEs, could allow a remote attacker to execute arbitrary code on an affected system.

Reference: https://www.us-cert.gov/ncas/current-activity/2019/08/08/cisco-releases-security-updates-multiple-products

Snort SIDs: 50902, 50904 - 50907 (Written by Amit Raut)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Security researchers say some of the most popular voting machines in the U.S. have been exposed to the internet for months or even years, despite their manufacturer claiming otherwise.

https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials


Two years after the U.S. banned the use of Kaspersky software on government-owned systems, the company's software remains on many machines.

https://www.forbes.com/sites/thomasbrewster/2019/08/08/exclusive-kaspersky-software-lingers-on-sensitive-government-systems-2-years-after-us-ban/#3954ffb7381c


Car makers used the DEFCON conference as an opportunity to find out where there may be vulnerabilities in their onboard computers and remote start systems.

https://www.reuters.com/article/us-autos-cyber-conference/automakers-warm-up-to-friendly-hackers-at-cybersecurity-conference-idUSKCN1V10H9


Democratic lawmakers used the Black Hat and DEFCON conferences to push election security bills and criticize Senate Majority Leader Mitch McConnell.

https://www.politico.com/story/2019/08/12/election-security-hacker-conference-mitch-mcconnell-1654899


A controversial sponsored talk at the Black Hat conference about the "Time AI" service was eventually taken offline after backlash from researchers.

https://www.vice.com/en_us/article/8xw9kp/black-hat-talk-about-time-ai-causes-uproar-is-deleted-by-conference


Police in South Wales, U.K. are starting to use facial recognition apps to identify a suspect without having to take them to a station.

https://www.theguardian.com/technology/2019/aug/07/south-wales-police-to-use-facial-recognition-to-identify-suspects


The United Nations is investigating 35 cyber attacks it says came from North Korea in an effort to fund their atomic weapons program.

https://abcnews.go.com/US/wireStory/probing-35-north-korean-cyberattacks-17-countries-64933610


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-1181

Title:    Microsoft Remote Desktop Services Remote Code Execution Vulnerability

Vendor:    Microsoft

Description: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. More infromation is available - "https://blog.qualys.com/laws-of-vulnerabilities/2019/08/13/windows-remote-desktop-vulnerabilities-seven-monkeys-how-to-detect-and-patch". This CVE ID is unique from CVE-2019-1181, CVE-2019-1222, CVE-2019-1226.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1222

Title:    Microsoft Remote Desktop Services Remote Code Execution Vulnerability

Vendor:    Microsoft

Description: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. More infromation is available - "https://blog.qualys.com/laws-of-vulnerabilities/2019/08/13/windows-remote-desktop-vulnerabilities-seven-monkeys-how-to-detect-and-patch". This CVE ID is unique from CVE-2019-1181, CVE-2019-1182, CVE-2019-1222.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-5994

Title:    EOS Camera Picture Transfer Protocol Memory Corruption Vulnerability

Vendor:    Canon EOS

Description: A Buffer overflow vulnerability exist in PTP (Picture Transfer Protocol) of EOS series digital cameras that allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via SendObjectInfo command.

CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)


ID:        CVE-2019-0193

Title:    Apache Solr Remote Code Execution Vulnerability

Vendor:    Apache

Description: A vulnerability exists in the DataImportHandler module of Apache Solr, a common module used to import data from databases or other sources. The whole DIH configuration of this module can come from the dataConfig parameter included in an external request. An attacker could exploit this vulnerability to cause arbitrary code execution via a malicious request that contains a carefully crafted dataConfig parameter.

CVSS v2 Base Score:    9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)


ID:        CVE-2019-14234

Title:    Django Index lookup SQL Injection Vulnerability

Vendor: Django

Description: Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. A remote attacker could possibly use this issue to perform SQL injection attacks.

CVSS v2 Base Score: AV:N/AC:L/Au:N/C:N/I:N/A:P  Base Score: 5


ID:        CVE-2018-13382

Title:    Fortinet FortiOS Authorization Bypass Vulnerability

Vendor:    Fortinet

Description: An Improper Authorization vulnerability in Fortinet FortiOS under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.

CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)


=========================================================


MOST PREVALENT MALWARE FILES Aug. 8 - 15:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a

MD5: 125ef5dc3115bda09d2cef1c50869205

VirusTotal: https://www.virustotal.com/gui/file/b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a/details

Typical Filename: helpermcp

Claimed Product: N/A

Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6

MD5: f7145b132e23e3a55d2269a008395034

VirusTotal: https://www.virustotal.com/gui/file/8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6/details

Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin

Claimed Product: N/A

Detection Name: Unix.Exploit.Lotoor::other.talos


SHA 256: 39a875089acaa37c76dd333c46c0072c6db0586c03135153fe6c15ac453ab750

MD5: df61f138409416736d9b6f4ec72ac0af

VirusTotal: https://www.virustotal.com/gui/file/39a875089acaa37c76dd333c46c0072c6db0586c03135153fe6c15ac453ab750/details

Typical Filename: cslast.gif

Claimed Product: N/A

Detection Name: W32.39A875089A-100.SBX.TG


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743