Cybersecurity training without home or office distractions: 11 courses | San Francisco | Dec 2-7

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

October 10, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              October 10, 2019 - Vol. 19, Num. 41


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Oct. 3 - 10

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday - Oct. 2019: Vulnerability disclosures and Snort coverage


******************* Sponsored By Deloitte ******************


2019 SANS SOC Survey for Oil and Gas. The goal of this survey is to provide benchmarks for those seeking to establish or improve security operations center (SOC) in the utilities/oil and gas sectors. Take this survey and enter for win a $400 Amazon gift card: http://www.sans.org/info/214435


============================================================

TRAINING UPDATE

 

-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019


-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019


-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019


-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS OnDemand and vLive Training

Get a 7th gen 10.2" iPad, Samsung Galaxy Tab A, or Take $250 off through October 16 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Attend this free half day event in Denver on October 18 | SANS Cloud Security Operations Forum: http://www.sans.org/info/214440


2) How is your organization managing the risks associated with workforce transformation? Take this survey: http://www.sans.org/info/214445


3) Webcast October 15th at 10:30 AM ET: Hear how software supply chains are evolving with ReversingLabs: http://www.sans.org/info/214450


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft discloses 60 vulnerabilities as part of monthly security update

Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."

This month's security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.

Reference: https://blog.talosintelligence.com/2019/10/microsoft-patch-tuesday-oct-2019.html

Snort SIDs: 51733 - 51736, 51739 - 51742, 51781 - 51794

 

Title: Multiple vulnerabilities in Schneider Electric Modicon M580

Description: There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs exist in the Modicon's use of FTP. Schneider Electric Modicon M580, BMEP582040 SV2.80, is affected by these vulnerabilities.

Reference: https://blog.talosintelligence.com/2019/10/vuln-spotlight-schneider-electric-m580-part-2-sept-2019.html

Snort SIDs: 49982, 49983


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Twitter says it used phone numbers and emails linked to two-factor authentication to serve targeted ads.

https://techcrunch.com/2019/10/08/twitter-admits-it-used-two-factor-phone-numbers-and-emails-for-targeted-advertising/


An Iranian hacking group carried out targeted attacks on Microsoft email accounts, including many that belonged to a U.S. presidential candidate.

https://www.geekwire.com/2019/iranian-hacker-group-attacked-hundreds-email-accounts-tied-us-presidential-candidate-microsoft-says/


After this group's actions were uncovered, the hacking group started to go after researchers who are looking into their attacks.

https://www.cyberscoop.com/iran-hacking-clearsky-microsoft-charming-kitten/


A group of cyber security firms are teaming up to promote greater cooperation between the companies' products, including a shared set of protocols and standards.

https://www.cbronline.com/news/open-cybersecurity-alliance


The U.S. government is increasingly using child exploitation as an argument against encryption, but experts worry it will mislead the American public on encryption's advantages.

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/10/08/the-cybersecurity-202-experts-slam-justice-s-move-to-make-child-exploitation-the-face-of-antiencryption-push/5d9b664e88e0fa747e6d5169/


Cyber security agencies in the U.S. and U.K. warned of state-sponsored attacks against several popular VPN services.

https://www.zdnet.com/article/vpn-users-if-youre-on-fortinet-palo-alto-pulse-secure-patch-now-warns-spy-agency/


Several hospitals across the U.S. and Australia were taken offline in the past week due to ransomware attacks.

https://www.welivesecurity.com/2019/10/03/hospitals-us-australia-ransomware/


Apple released its new Catalina operating system this week, and it comes with several new security features.

https://www.zdnet.com/article/these-are-the-macos-catalina-10-15-security-updates-you-need-to-know-about/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-11932

Title:    Anchor CMS Information Disclosure Vulnerability

Vendor:    Anchor CMS

Description: A double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif as used in WhatsApp for Android, allows remote attackers to execute arbitrary code or cause a denial of service. By default, AnchorCMS will log errors to the "/anchor/errors.log" file in the webroot of the web application. This allows malicious users to access the error log and view potentially sensitive information.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-1367

Title:    Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor:    Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. This CVE ID is unique from CVE-2019-1221.

CVSS v2 Base Score:    7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1315

Title:    Microsoft Windows Error Reporting Privilege Escalation Vulnerability

Vendor:    Microsoft

Description: Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of hard links by the Error Reporting manager. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to take control of the system.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-16920

Title:    D-Link Unauthenticated Command-Injection Vulnerability

Vendor:    D-Link

Description: The vulnerability exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers. The vulnerability exists due to improper sanitization of arbitrary commands that are executed by the native command-execution function. An attacker who successfully triggers the command injection could achieve full system compromise.

Fortinet's FortiGuard Labs has discovered an unauthenticated remote code execution vulnerability in D-Link products.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-17132

Title:    vBulletin Authenticated Remote Code Execution Vulnerability

Vendor:    vBulletin

Description: A remote code execution vulnerability exist in User input passed through the "data[extension]" and "data[filedata]" parameters to the "ajax/api/user/updateAvatar" endpoint, that is not properly validated before being used to update users avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the "Save Avatars as Files" option to be enabled (disabled by default).

CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)


ID:        CVE-2019-4013

Title:    IBM Bigfix Platform Arbitrary File Upload Vulnerability

Vendor:    IBM

Description: IBM BigFix Platform could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. An attacker can for example upload script file on the web server and execute it by sending GET request.

CVSS v2 Base Score:    9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)


=========================================================


MOST PREVALENT MALWARE FILES Oct. 3 - 10:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: ce8cb7c8dc29b9e4feab463fdf53b569b69e6a5c4ab0e50513b264563d74a6ac

MD5: 0e02555ede71bc6c724f9f924320e020

VirusTotal: https://www.virustotal.com/gui/file/ce8cb7c8dc29b9e4feab463fdf53b569b69e6a5c4ab0e50513b264563d74a6ac/details

Typical Filename: dllhostex.exe

Claimed Product: Microsoft(R) Windows(R) Operating System

Detection Name: W32.CoinMiner:CryptoMinerY.22k3.1201


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743