Last Day to Save $400! Choose from Seven Courses at SANS Phoenix-Mesa 2017. Register Now.

Newsletters: @RISK


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 2, 2016
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 16, Num. 22

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked

Archived issues may be found at http://www.sans.org/newsletters/at-risk

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 2016-05-24 - 2016-05-31
============================================================

TOP VULNERABILITY THIS WEEK: New Method "SandJacking" Potentially Allows Attackers to Install Malicious iOS Apps

******************* Sponsored By Sophos Inc. *******************

Companies are leaving Symantec - find out why!
You face a dynamic threat environment. Is your endpoint security keeping pace? More and more customers are switching to Sophos to get innovative protection they can actually use, backed by world-class technical support. Find out more:
http://www.sans.org/info/186322

============================================================

TRAINING UPDATE

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRm

- -- DFIR Summit & Training | Austin, TX | June 23-30, 2016 DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gRG

- --SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRV

- --SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSp

- --SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSJ

- --SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gSO

- --Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMs

- --Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | Two days of Security Awareness talks and 6 SANS courses: Intro to Info Security, Advanced Security Essentials, Critical Security Controls, CISSP Cert Preparation, Intro to Cyber Risk, Securing the Human
http://www.sans.org/u/i2o

- - --Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

- -- Multi-week Live SANS training
Mentor -http://www.sans.org/u/X9
Contact mentor@sans.org

- -- Looking for training in your own community?
Community -http://www.sans.org/u/Xo

- -- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

Plus Berlin, Delhi, Vienna, and Portland, all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XN

********************** Sponsored Links: ********************

1) The Case for PIM/PAM in Todays Infosec. Tuesday, June 14th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Barbara Filkins and Ken Ammon.
http://www.sans.org/info/186327

2) MobileIron Mobile Security and Risk Review Research Results. Wednesday, June 15th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with David Schwaartzberg.
http://www.sans.org/info/186332

3) Warning: Email may be Hazardous to your Business. Wednesday, June 15th, 2016 at 3:00 PM (15:00:00 EDT/US Eastern) with John Devenyns.
http://www.sans.org/info/186342

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New Method "SandJacking" Potentially Allows Attackers to Install Malicious iOS Apps
Description: Chilik Tamir of mobile security firm Mi3 disclosed a previously unknown way of installing malicious iOS apps at Hack in the Box - Amsterdam. Tamir previously released a proof-of-concept tool call "Su-A-Cyder" that could be used to replace legitimate apps with malicious ones on an iOS device. Since then, he has identified a new technique called "SandJacking" that leverages the "Su-A-Cyder" method which works on the latest iOS devices. The newest method leverages the restore process. This issue has been reported to Apple, but a patch for this has not yet been released.
Reference:
https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20-%20Chilik%20Tamir%20-%20Profiting%20from%20iOS%20Malware.pdf

============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Research Spotlight: ROPMEMU - A Framework for the Analysis of Complex Code Reuse Attacks
http://blog.talosintel.com/2016/06/ropmemu.html?f_l=s

Inside The Million-Machine Clickfraud Botnet
https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/

Dridex Poses as Fake Certificate in Latest Spam Run
http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-poses-as-fake-certificate/?

DDoS Attacks via TFTP Protocol Become a Reality After Research Goes Public
http://news.softpedia.com/news/ddos-attacks-via-tftp-protocol-become-a-reality-after-research-goes-public-504713.shtml

SWIFT attackers' malware linked to more financial attacks
http://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2016-0185
Title: Microsoft Windows Media Center Input Validation Remote Code Execution Vulneraiblity (MS16-059)
Vendor: Microsoft
Description: Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted Media Center link (aka .mcl) file, aka "Windows Media Center Remote Code Execution Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2016-4117
Title: Adobe Flash Player Integer Overflow Code Execution Vulnerability (APSA16-02)
Vendor: Adobe
Description: Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2016-0189
Title: Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
Vendor: Microsoft
Description: The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187.
CVSS v2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

ID: CVE-2016-1287
Title: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Vendor: Cisco
Description: Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2016-3081
Title: Apache Struts Input Validation Remote Code Execution Vulnerability
Vendor: Apache Structs
Description: Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2016-1019
Title: Adobe Flash Player Code Execution Vulnerability
Vendor: Adobe
Description: Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2016-1010
Title: Adobe Flash Player Integer Overflow Code Execution Vulnerability
Vendor: Adobe
Description: Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0963 and CVE-2016-0993.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

=========================================================
MOST PREVALENT MALWARE FILES 2016-05-24 - 2016-05-31:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 671F56304C53B1C54736ED760C65A99955258D18A5EFA2C39989FFB62F4F9D97 MD5: 971d031e0468644ccbadbf22270f5b6c
VirusTotal:
https://www.virustotal.com/file/671F56304C53B1C54736ED760C65A99955258D18A5EFA2C39989FFB62F4F9D97/analysis/#additional-info
Typical Filename: le2438.zip
Claimed Product: N/A
Detection Name: W32.671F56304C-100.SBX.VIOC

SHA 256: 848F73D2A209B00283A244C764E990E22DDD4F999B0AE4D3E37A21824569C8DF
MD5: 9197b4fa7e0004c3738e04eecc5acb71
VirusTotal:
https://www.virustotal.com/file/848F73D2A209B00283A244C764E990E22DDD4F999B0AE4D3E37A21824569C8DF/analysis/#additional-info
Typical Filename: 5668190953.doc
Claimed Product: N/A
Detection Name: W32.848F73D2A2-100.SBX.TG

SHA 256: D6F0900270940398C4C0673D4AF77B9158A24F69E8DCB39F9EBB6F949E59D9A6
MD5: 371fa4d720b241cc1b21c80970e3262a
VirusTotal:
https://www.virustotal.com/file/D6F0900270940398C4C0673D4AF77B9158A24F69E8DCB39F9EBB6F949E59D9A6/analysis/#additional-info
Typical Filename: contract_3101747.doc
Claimed Product: N/A
Detection Name: W32.D6F0900270-100.SBX.TG

SHA 256: 25D0963F8E33FA800F9E0A1700FE15A441D6E04B18D522DED18672A044569BCA
MD5: 2d0e3c6a1ca54a92250317eeeec0df18
VirusTotal:
https://www.virustotal.com/file/25D0963F8E33FA800F9E0A1700FE15A441D6E04B18D522DED18672A044569BCA/analysis/#additional-info
Typical Filename: sogouexe.exe
Claimed Product: "???????"
Detection Name: W32.25D0963F8E-100.SBX.VIOC

SHA 256: 93E434C5554AED4C0770D4F58F1AD56EB7208109A84473FE39CBB6BC4E8E85F7
MD5: 16e9736ea3577e7844d67f96b738faf2
VirusTotal:
https://www.virustotal.com/file/93E434C5554AED4C0770D4F58F1AD56EB7208109A84473FE39CBB6BC4E8E85F7/analysis/#additional-info
Typical Filename: 6013190921.doc
Claimed Product: N/A
Detection Name: W32.93E434C555-100.SBX.TG

=============================================================

(c) 2016. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account

SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743