SANS Network Security offers 40+ cyber security courses in Las Vegas or Live Online. Save $300 thru tomorrow.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

December 26, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                    December 26, 2019 - Vol. 19, Num. 52


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

MOST PREVALENT MALWARE FILES Dec. 19 - 26

============================================================


TOP VULNERABILITY THIS WEEK: Attackers utilize Cisco ASA bug to carry out DoS attacks


******************** Sponsored By SANS ********************


Kick off RSA Conference 2020 with Hands-on SANS Training | San Francisco, CA | Feb 23-24. Develop the skills you need to better protect your organization with SANS information security training at RSA Conference 2020. http://www.sans.org/info/215100


============================================================

TRAINING UPDATE



-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020


 

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020


 

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020


 

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


 

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020


                                                                                                            

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020


 

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020


 

-- ICS Security Summit & Training | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020


 

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


 

-- SANS OnDemand and vLive Training


Get an iPad Mini, a Samsung Galaxy Tab S2, or Take $300 Off through January 8 with OnDemand or vLive training.


https://www.sans.org/online-security-training/specials/


 

-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


 

-- Single Course Training


SANS Mentor |  https://www.sans.org/mentor/about


Community SANS | https://www.sans.org/community/


 

-- View the full SANS course catalog and Cyber Security Skills Roadmap


https://www.sans.org/courses


https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1. Webcast January 14 at 1 PM ET: What Really Matters to Security Teams: Endpoint Security Priorities for 2020. http://www.sans.org/info/215105


2. ICYMI Webcast: David Szili discusses his experience using Mimecast's Web Security Service. View here: http://www.sans.org/info/215110


3. In the Austin area? Join us for the Automation & Orchestration Forum on January 30: http://www.sans.org/info/215115


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Old vulnerability in Cisco Adaptive Security Appliances exploited in DoS attacks

Description: Attackers are exploiting a patched vulnerability in Cisco ASA to carry out denial-of-service attacks and steal critical information. The vulnerability, CVE-2018-0296, is directory traversal bug found in the web framework of Adaptive Security Appliance and Firepower Appliance. The attacker can use a specially crafted URL to cause the ASA appliance to reboot or disclose unauthenticated information. This vulnerability was first discovered and patched in June 2018, but vulnerable devices are still being targeted.

Reference: https://www.bleepingcomputer.com/news/security/cisco-security-appliances-targeted-for-dos-attacks-via-old-bug/

Snort SIDs: 46897

 

Title: Multiple vulnerabilities in some WAGO devices

Description: The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGOs programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration service used by the controllers. The vulnerabilities discussed here could allow an attacker to remotely execute code, deny service to the device or weaken device login credentials.

Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-multiple.html

Snort SIDs: 50786 - 50789, 50790 - 50793, 50797


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Reporters and researchers at the New York Times were able to use leaked location data to track cell phone users across the U.S., even President Donald Trump, the sign of a major national security risk.

https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html


The login credentials for more than 3,000 Ring camera users were leaked last week, the latest blow to the Amazon-owned security company.

https://www.buzzfeednews.com/article/carolinehaskins1/data-leak-exposes-personal-data-over-3000-ring-camera-users


Gas station chain Wawa says it was the victim of a credit card-stealing attack since March, potentially affecting every customer at each of its locations. The company is offering victims free fraud protection for a year.

https://slate.com/technology/2019/12/how-bad-is-the-wawa-data-breach.html


A U.S. government-sponsored study found there is a high rate of error in facial recognition technology, especially among non-whites, often assigning individuals the wrong genger or identifying them as the incorrect race.

https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html?guccounter=1


An airline in Alaska had to cancel several flights after what the company called a malicious cyber attack.

https://www.usatoday.com/story/travel/news/2019/12/22/alaska-airline-cancels-flights-after-malicious-cyber-attack/2727709001/


U.S. military members are now banned from using the popular social media app TikTok on government-issued devices, citing security concerns based on the app developers potential connections to China.

https://www.pcmag.com/news/372673/us-navy-bans-tiktok-citing-cybersecurity-threat


Content management system Drupal released a series of security updates, fixing a critical vulnerability that could allow an attacker to directly upload some malicious files to a website.

https://thehackernews.com/2019/12/drupal-website-hacking.html


An exposed Elasticsearch database exposed the personal information of more than 26,000 Honda car owners, including names, addresses, VINs and email addresses.

https://www.scmagazine.com/home/security-news/database-security/open-database-exposes-26000-honda-motors-customers/


=========================================================



MOST PREVALENT MALWARE FILES Dec. 19 - 26:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871

MD5: c2406fc0fce67ae79e625013325e2a68

VirusTotal: https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details

Typical Filename: SegurazoIC.exe

Claimed Product: Digital Communications Inc.

Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


SHA 256: b32093d726609c88a06f71b8fe74e9e5a04c2dfe81fc39743bdd970bf4dea017

MD5: baadce7c152b24bd48cc1f2f4a0b088d

VirusTotal: https://www.virustotal.com/gui/file/b32093d726609c88a06f71b8fe74e9e5a04c2dfe81fc39743bdd970bf4dea017/details

Typical Filename: xme64-530.exe

Claimed Product: N/A

Detection Name: W32.B32093D726-100.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743