Learn InfoSec skills you can implement immediately! Six courses available in Houston - Oct. 28-Nov. 2.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

September 5, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

             September 05, 2019 - Vol. 19, Num. 36


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Aug. 29 - Sept. 5

============================================================


TOP VULNERABILITY THIS WEEK: Additional protection for attacks against popular VPN service


*************** Sponsored By AWS Marketplace ***************


Know Your Apps and Your Developers: JumpStart Guide to Securing Applications in AWS. In this webcast, learn how to work with developers to identify, assess and understand your applications and APIs deploying to AWS. SANS, AWS and Fortinet experts provide practical guidance for reusing resources, improving AppSec programs and planning future application development. Join us Sept. 11, 2:00 PM ET. http://www.sans.org/info/214110


============================================================

TRAINING UPDATE

 

-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019


-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or Take $250 off through September 18 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webcast: Learn key processes, skills and technologies required for an effective supply chain security program. Register: http://www.sans.org/info/214115


2) In the Denver area? Register for the SANS Cloud Security Operations Solutions Forum on October 18th: http://www.sans.org/info/214120


3) Webcast Tuesday September 17th at 1 PM ET: Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception. http://www.sans.org/info/214130


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: New protection fends off password-stealing attacks from popular VPN service

Description: Last week, attackers began launching password-stealing attacks against the Fortigate and Pulse VPN services. At the time, Cisco Talos released SNORT(R) rules to protect Pulse VPN, and there is now additional protection for Fortigate. Attackers are attempting to steal encryption keys, passwords and other important data from servers utilizing these two VPN services. These bugs can be exploited by sending the unpatched servers a specialized Web request that contains a special sequence of characters. Reference: https://arstechnica.com/information-technology/2019/08/hackers-are-actively-trying-to-steal-passwords-from-two-widely-used-vpns/

Snort SIDs: 51370 - 51372, 51387 (Written by John Levy)

 

Title: Multiple vulnerabilities disclosed in Cisco NX-OS software

Description: Cisco disclosed three denial-of-service vulnerabilities in its NX-OS software: CVE-2019-1965, CVE-2019-1964 and CVE-2019-1962. These bugs can cause a variety of conditions, including forced reboots, crashes or disruption of certain processes. All three are considered high-severity vulnerabilities.

Reference:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos

Snort SIDs: 51365 - 51367 (Written by John Levy)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Google's Project Zero uncovered several malicious websites that compormised iPhones for years, just by having users visit them.

https://www.cnet.com/news/google-says-iphone-security-flaws-let-websites-hack-them-for-years/


Security researchers believe this discovery could lead to a new wave of attacks on iPhones after the devices were mainly targets of nation-state actors.

https://www.wired.com/story/ios-attack-watering-hole-project-zero/


A new report suggests ransomware attacks may be on the rise because threat actors are encouraged by extortion payments from insurance companies.

https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks


Attackers used the "SIM hacking" technique to take over Twitter CEO Jack Dorsey's personal account, posting offensive messages and linking to the group's Discord channel.

https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping


Amazon's Ring home security service recently released a list of the more than 400 police departments it partners with for a variety of reasons, and a new map can help users see what their cameras' footage may be used for.

https://lifehacker.com/how-to-see-if-police-are-using-ring-doorbells-to-monito-1837797394


Apple apologized to users for its practice of allowing contracted employees to listen in on Siri recordings. The company now says it will be an opt-in program, with the goal of improving the AI assistant.

https://www.theguardian.com/technology/2019/aug/29/apple-apologises-listen-siri-recordings


Chinese tech company Huawei accused the U.S. of launching cyber attacks against its networks, while also denying allegations that it stole smart camera technology from a Portuguese firm.

https://www.wsj.com/articles/huawei-accuses-the-u-s-of-cyberattacks-threatening-its-employees-11567500484


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-12643

Title:    Cisco IOS XE REST API Container Software Authentication Bypass Vulnerability

Vendor:    Cisco

Description: This vulnerability resides in the Cisco REST API virtual service container, however, it affects devices running Cisco IOS XE Software when exploited. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The security issue is tracked as CVE-2019-12643 and has received a maximum severity rating score of 10 based on CVSS v3 Scoring system.

CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1663

Title:    Cisco Routers Remote Command Execution Vulnerability

Vendor:    Cisco

Description: A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. A remote attacker can exploit this issue to execute arbitrary commands on the host operating system with escalated privileges.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1622

Title:    Cisco Data Center Network Manager Information Disclosure Vulnerability

Vendor:    Cisco

Description: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


ID:        CVE-2019-1935

Title:    Cisco UCS Director Unauthenticated Remote Access Vulnerability

Vendor:    Cisco

Description: A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Due to several coding errors, it is possible for an unauthenticated remote attacker with no privileges to bypass authentication and abuse a password change function to inject arbitrary commands and execute code

as root. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-15637

Title:    Tableau XML External Entity Injection Vulnerability.

Vendor: Tableau

Description: Numerous Tableau products are vulnerable to XXE (XML External Entity) vulnerability beacuse of a malicious workbook, extension, or data source, leading to information disclosure or a denial of service vulnerability. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.

CVSS v2 Base Score:    5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P)


ID:        CVE-2019-10149

Title:    Exim Remote Command Execution Vulnerability

Vendor:    Exim

Description: Exim is affected by remote command execution vulnerability. The vulnerability is exploitable instantly by a local attacker, remotely exploit this vulnerability in the default configuration. An attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes), faster methods may exist. Successful exploitation will lead to remote command execution.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES Aug. 29 - Sept. 5:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc

MD5: 7a6f7f930217521e47c7b8d91fb79649

VirusTotal: https://www.virustotal.com/gui/file/9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc/details

Typical Filename: DHL Scan File.img

Claimed Product: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!

Detection Name: W32.9A082883AD-100.SBX.TG


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c

MD5: c785a8b0be77a216a5223c41d8dd937f

VirusTotal: https://www.virustotal.com/gui/file/1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c/details

Typical Filename: cslast.gif

Claimed Product: N/A

Detection Name: W32.1755C179F0-100.SBX.TG


SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7

MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f

VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details

Typical Filename: sayext.gif

Claimed Product: N/A

Detection Name: W32.093CC39350-100.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743