SANSFIRE is right around the corner June 13-20 - Live Online, Register today!

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

October 17, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              October 17, 2019 - Vol. 19, Num. 42


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Oct. 10 - 17

============================================================


TOP VULNERABILITY THIS WEEK: WebKit bug affects Safari, Chrome users


*************** Sponsored By AWS Marketplace ***************


Learn About Tools and Techniques for Effective Security Investigations in AWS Instances. Learn how to plan for a cloud-based investigation, perform prerequisites, and select services and controls. Also learn what data sources to leverage when investigating and containing an incident in the cloud, how to determine source and timeline, and more. October 22, 2 PM ET. http://www.sans.org/info/214495


============================================================

TRAINING UPDATE

 

-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019


-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019


-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019


-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS OnDemand and vLive Training

Get an iPad Mini, an ASUS Chromebook Flip, or Take $250 Off through October 30 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) ICYMI Webcast: See how this solution is helping organizations build automated security controls into their applications. http://www.sans.org/info/214500


2) Take the 2020 SANS Cyber Threat Intelligence Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/214505


3) Webcast October 22nd at 1 PM ET: Converged Threat and Performance Management - Listen to Your Network! http://www.sans.org/info/214510


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Apple WebKit opens users up to malicious advertising

Description: Multiple vulnerabilities in Apple's WebKit are allowing attackers to serve users' malicious advertisements. This campaign affected the Google Chrome and Safari web browsers on iOS and MacOS, but the vulnerabilities were all patched out in Apple's latest series of security updates. All the ads centered around the user's specific mobile carrier, hoping to entice them to visit malicious websites. The vulnerabilities would allow the ads to break out of any sandboxes in place.

Reference: https://9to5mac.com/2019/10/02/scam-popup-ads/

Snort SIDs: 51821 - 51824, 51831, 58132 (By John Levy)

 

Title: Remote code execution bug in vBulletin

Description: A now-patched vulnerability in the popular service vBulletin is allowing attackers to completely take over sites that use the software. vBulletin powers the commenting functions for many popular sites. An attacker could exploit this vulnerability to gain the ability to remotely execute malicious code on any vBulletin server running versions 5.0.0 through 5.5.4. This bug was initially dropped as a zero-day by an anonymous user, but has since been patched by the company. The Snort rules below prevent any attempt to inject code into the server using this bug. Marcos Rodriguez wrote these rules.

Reference: https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/

Snort SIDs: 51834 - 51837 (By Marcos Rodriguez)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Two high-profile Moroccan activists had their mobile phones targeted by the Israeli-connected Pegasus spyware.

https://arstechnica.com/information-technology/2019/10/activists-phones-targeted-by-one-of-the-worlds-most-advanced-espionage-apps/


Google's new Pixel 4 and Pixel XL will have the ability to transcribe users' voice recordings in notes mode, even if the device is offline.

https://techcrunch.com/2019/10/15/googles-new-voice-recorder-app-transcribes-in-real-time-even-when-offline/


A new wave of ATM "jackpotting" malware has hit banks across the globe, forcing ATMs to randomly spit out all of the money they contain.

https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world


GitHub continues to receive pushback for its connection to China and U.S. Immigration and Customs Enforcement, even holding a secret meeting with its employees to discuss renewing the company's contract with ICE.

https://www.theverge.com/2019/10/10/20908713/github-ceo-china-transcript-leak-microsoft


Mozilla says it's better protecting Firefox from code injection attacks by removing inline scripts in the web browser.

https://www.zdnet.com/article/mozilla-to-firefox-users-heres-how-were-protecting-you-from-code-injection-attacks/


Any escalation of cyber war between the U.S. and Iran could have wide-ranging consequences, with the worst possible scenario being the deployment of Stuxnet.

https://www.cpomagazine.com/cyber-security/cyber-war-between-iran-and-united-states-could-have-far-reaching-implications/


A popular app highly promoted by China's government may actually be giving them the ability to monitor more than 100 million users' habits and copy the data from their mobile device.

https://www.bbc.com/news/technology-50042379


A popular underground marketplace for stolen credit card information was hacked, and a text file containing all the information in the store was shared with financial institutions who could alert the owners of the cards.

https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-26m-stolen-cards/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-6971

Title:    TP-Link Authentication Bypass Vulnerability

Vendor:    TP-Link

Description: An issue was discovered on TP-Link TL-WR1043ND V2 devices. An attacker can send a cookie in an HTTP authentication packet to the router management web interface, and fully control the router without knowledge of the credentials.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1347

Title:    Microsoft Windows Denial of Service Vulnerability

Vendor:    Microsoft

Description: A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.

Note: This CVE ID is unique from CVE-2019-1343, CVE-2019-1346.

CVSS v2 Base Score:    7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)


ID:        CVE-2019-1346

Title:    Microsoft Windows Denial of Service Vulnerability

Vendor:    Microsoft

Description: The Microsoft Windows kernel suffers from an out-of-bounds read vulnerability in CI!HashKComputeFirstPageHash while parsing a malformed PE file. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.

Note: This CVE ID is unique from CVE-2019-1343, CVE-2019-1347.

CVSS v2 Base Score:    7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)


ID:        CVE-2019-1343

Title:    Microsoft Windows Denial of Service Vulnerability

Vendor:    Microsoft

Description: The Microsoft Windows kernel suffers from a null pointer dereference vulnerability in nt!MiOffsetToProtos while parsing a malformed PE file. A denial of service vulnerability exists when Windows improperly handles objects in memory.

Note: This CVE ID is unique from CVE-2019-1346, CVE-2019-1347.

CVSS v2 Base Score:    7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)


ID:        CVE-2019-17503, CVE-2019-17504

Title:    Kirona-DRS Information Disclosure Vulnerability

Vendor:    Kirona

Description: An information disclosure vulnerability exists in Kirona Dynamic Resource Scheduling (DRS). An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly that contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


ID:        CVE-2019-11932

Title:    Whatsapp Remote Code Execution Vulnerability

Vendor:    Whatsapp

Description: A double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif, as used in WhatsApp for Android, allows remote attackers to execute arbitrary code or cause a denial of service.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-14287

Title:    sudo Security Bypass Vulnerability

Vendor:    Multi-Vendor

Description: When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


=========================================================


MOST PREVALENT MALWARE FILES Oct. 10 - 17:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.WNCryLdrA:Trojan.22k2.1201


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details

Typical Filename: xme32-2141-gcc.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743