Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

August 22, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              August 22, 2019 - Vol. 19, Num. 34


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Aug. 15 - 22

============================================================


TOP VULNERABILITY THIS WEEK: Vulnerabilities in Google Nest cameras could allow attacker to leak data


*************** Sponsored By AWS Marketplace ***************


Which AWS native tools are most beneficial for continuous monitoring, detection and event management in the AWS cloud? Join SANS Analyst David Szili and AWS Solutions Architect Manager David Aiken to learn how to enhance visibility for threat detection in AWS by employing native tools such as Amazon VPC Traffic Mirroring. August 22, 2 PM ET. http://www.sans.org/info/213980


============================================================


TRAINING UPDATE

 

-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019


-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019


-- SANS OnDemand and vLive Training

Get free GIAC Cert Attempt or Take $350 off with OnDemand or vLive training through September 4.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webcast August 27 at 1 PM ET: Brush up on your DNS security fundamentals and see how it can help you block threats before they reach your users. http://www.sans.org/info/213985


2) Webcast: BloxOne(TM) Threat Defense: Strengthening and Optimizing Your Security Posture from the Foundation Up. http://www.sans.org/info/213990


3) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/213995


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Nest Cam IQ camera open to takeover, data disclosure

Description: Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs' most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera.

Reference: https://blog.talosintelligence.com/2019/08/vuln-spotlight-nest-camera-openweave-aug-2019.html

Snort SIDs: 49843 - 49855, 49797, 49798, 49801 - 49804, 49856, 49857, 49813 - 49816, 49912 (Written by Josh Williams)

 

Title: Aspose APIs contain bugs that could lead to remote code execution

Description: Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.

Reference: https://blog.talosintelligence.com/2019/08/aspose-APIs-RCE-vulns-aug-2019.html

Snort SIDs: 49756, 49757, 49760, 49761, 49852, 49853 (Written by Cisco Talos analysts)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


A new vulnerability in Bluetooth could allow an attacker to intercept keystrokes on mobile devices and potentially steal sensitive information.

https://arstechnica.com/information-technology/2019/08/new-attack-exploiting-serious-bluetooth-weakness-can-intercept-sensitive-data/


Bernie Sanders became the first 2020 presidential candidate to publicly call for an end to the use of facial recognition technology by law enforcement agencies.

https://www.vox.com/recode/2019/8/19/20812594/bernie-sanders-ban-facial-recognition-tech-police


Instagram is expanding its bug bounty program to reward researchers who discover third-party apps that inappropriately disclose user data.

https://www.engadget.com/2019/08/19/facebook-data-abuse-bounty-program-instagram-checkout/


Apple mistakenly unpatched a vulnerability that could allow users to jailbreak the iPhone, and hackers quickly went public with a way to break into a fully up-to-date device.

https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-public-iphone-jailbreak-in-years


Security researchers discovered an unpatchable vulnerability in a line of SoC boards manufactured by American manufacturer Xilinx.

https://www.zdnet.com/article/unpatchable-security-flaw-found-in-popular-soc-boards/


Twenty-three cities in Texas have been hit with a ransomware attack believed to originate from a single threat actor.

https://www.npr.org/2019/08/20/752695554/23-texas-towns-hit-with-ransomware-attack-in-new-front-of-cyberassault


The United States gave Chinese tech company Huawei another 90-day import agreement that will allow the company to use American-made parts as the two sides continue to discuss security concerns.

https://www.reuters.com/article/us-huawei-tech-usa-license-exclusive-idUSKCN1V701U?


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-9512,CVE-2019-9514

Title:    Kubernetes Denial of Service Vulnerability

Vendor:    Kubernetes

Description: A security issue has been found in the net/http library of the Go language that affects all versions and all components of Kubernetes. The vulnerabilities can result in a DoS against any process with an HTTP or HTTPS listener. These vulnerabilities allow untrusted clients to allocate an unlimited amount of memory, until the server crashes leading to Denial of Service.

CVSS v2 Base Score:    7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)


ID:        CVE-2019-15107

Title:    Webmin Remote Code Execution Vulnerability

Vendor:    Multi-Vendor

Description: Webmin is a web-based interface for system administration for Unix,although recent versions can also be installed and run on Windows. Webmin contains a vulnerability that allows remote command execution.The parameter "old" in password_change.cgi contains a command injection vulnerability. Webmin versions are only vulnerable if changing of expired passwords is enabled. Successful exploitation may allow remote attacker to execute arbitrary commands on target system.

CVSS v2 Base Score:    6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-15107

Title:    Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)

Vendor:    PulseSecure

Description: Pulse Connect Secure provides secure, authenticated access for remote and mobile users from any web-enabled device to corporate resources anytime, anywhere. Pulse Connect Secure is the most widely deployed SSL VPN for organizations of any size, across every major industry. Successful exploitation of this vulnerability can lead to to remote code execution, arbitrary local file modification, session hijacking, SAML authentication leak, command injection, stack buffer overflow, Cross-site Scripting etc.

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-8045

Title:    Adobe Security Update for Adobe Acrobat and Reader (APSB19-41)

Vendor:    Adobe

Description: Adobe Acrobat and Reader versions have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution. An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.

CVSS v2 Base Score:    10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2018-13379

Title:    Fortinet FortiOS Credentials Disclosure Vulnerability

Vendor:    Fortinet

Description: Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


ID:        CVE-2019-14430

Title:    YouPHPTube SQL Injection Vulnerability

Vendor:    YouPHPTube

Description: The parameters "User" as well as "pass" of the user registration function in YouPHPTube are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator. Successful exploitation allows an unauthenticated, remote attacker to manipulate SQL queries by injecting arbitrary SQL code or further exploit latent vulnerabilities in the underlying database.

CVSS v2 Base Score:    6.8 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES Aug. 15 - 22:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a

MD5: 125ef5dc3115bda09d2cef1c50869205

VirusTotal: https://www.virustotal.com/gui/file/b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a/details

Typical Filename: helpermcp

Claimed Product: N/A

Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos


SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6

MD5: f7145b132e23e3a55d2269a008395034

VirusTotal: https://www.virustotal.com/gui/file/8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6/details

Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin

Claimed Product: N/A

Detection Name: Unix.Exploit.Lotoor::other.talos


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details

Typical Filename: invoice.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743