weekly awareness report (war)informationwarfarecenter.com/cir/archived/cyber... · 5/6/2019 · *...
TRANSCRIPT
05-06
Weekly Awareness Report (WAR)
May 6, 2019
The Cyber Intelligence Report is an Open Source Intelligence AKA OSINT resource focusing on advanced persistent threatsand other digital dangers received by over ten thousand individuals. APTs fit into a cybercrime category directed at bothbusiness and political targets. Attack vectors include system compromise, social engineering, and even traditionalespionage. Included are clickable links to news stories, vulnerabilities, exploits, & other industry risk.
Summary
Symantec ThreatCon Low: Basic network posture
This condition applies when there is no discernible network incident activity and no maliciouscode activity with a moderate or severe risk rating. Under these conditions, only a routinesecurity posture, designed to defeat normal network threats, is warranted. Automated systemsand alerting mechanisms should be used.
Sophos: last 10 Malware* Troj/TrickBo-QR* Troj/Fareit-HNG* Troj/Trickbo-QQ* Troj/Ransom-FJQ* Troj/Agent-BBJK* Troj/OSMod-G* Troj/Godrop-E* Troj/Emotet-BEL* Troj/DownLnk-AB* Troj/Stealer-OG
Last 10 PUAs* PowerTool* PlayGames Dialer* Neoreklami* Adposhel* OxyPumper* IStartSurfInstaller* Altnet* VModz GameHack* PC Speed Up Pro* InstallCore
Interesting News
* I know what you did last summer, MuddyWater blending in the crowdThis report details a collection of tools used by MuddyWater threat actor on its targets after initial infection. It also detailsdeceptive techniques used to divert investigations once attack tools have been deployed inside victim systems.
* * The IWC Cyber Range is scheduled to release a new version May 1st. Ghidra and Grass Marlin are now installed alongwith several more Red/Blue Team tools. If you are interested, we have an active FaceBook Group and YouTube Channel. As always, if you have any suggestions, feel free to let us know. Subscribe if you would like to receive the CIR updates bysending us an email: [email protected]
Index of Sections
Current News
* Packet Storm Security
* Dark Reading
* Krebs on Security
* The Hacker News
* Infosecurity Magazine
* Threat Post
* Naked Security
* Quick Heal - Security Simplified
Hacker Corner: Tools, Hacked Defacements, and Exploits
* Security Conferences
* Packet Storm Security Latest Published Tools
* Zone-H Latest Published Website Defacements
* Packet Storm Security Latest Published Exploits
* Exploit Database Releases
Advisories
* Secunia Chart of Vulnerabilities Identified
* US-Cert (Current Activity-Alerts-Bulletins)
* Symantec's Latest List
* Packet Storm Security's Latest List
Credits
News
Packet Storm Security
* In A First, Israel Responds To Hamas Hackers With An Air-Strike* Japanese Govt To Create And Maintain Defensive Malware* Australia's Cybersecurity Chief Alastair MacGibbon Resigns* Inside Facebook's War Room: The Battle To Protect EU Elections* Retefe Banking Trojan Resurfaces, Says Goodbye To Tor* Denial Of Service Event Impacted U.S. Power Utility Last Month* Hacker Takes Over 29 IoT Botnets* A Hacker Is Wiping Git Repositories And Asking For A Ransom* A Mysterious Hacker Group Is On A Supply Chain Hijacking Spree* HMRC Forced To Delete Five Million Voice Files* Law Enforcement Seizes Wall Street Market After Moderator Leaks Backend Credentials* Putin Signs Internet Sovereignty Bill That Expands Censorship* Evaluating The GDPR Experiment* Google To Auto-Delete Web Tracking History* Hackers Lurked In Citrix Systems For Six Months* 50,000 Companies Exposed To Hacks Of Business Critical SAP Systems* Cartoon Network Hacked Worldwide To Show Brazilian Stripper Videos* Further Details On Wipro Phishing Attack Revealed* Defense Secretary Gavin Williamson Sacked Over Huawei Leak* Congress Gets A Different Perspective On Data Privacy* Dell Laptops And Computers Vulnerable To Remote Hijacks* Researchers Compromise Netflix Content In Widevine DRM Hack* Phone And Laptop Searches Quadruple At US Border* Oracle's Weblogic Being Exploited To Install Ransomware* New Gadget Law Planned To Thwart Hackers
Dark Reading
* Trust the Stack, Not the People* Massive Dark Web 'Wall Street Market' Shuttered* Open Security Tests Gain Momentum With More Lab Partners* New Executive Order Aims to Grow Federal Cybersecurity Staff* The 2019 State of Cloud Security* How Storytelling Can Help Keep Your Company Safe* New Exploits For Old Configuration Issues Heighten Risk for SAP Customers* Misconfigured Ladders Database Exposed 13M User Records* Security Doesn't Trust IT – and IT Doesn't Trust Security* Security Depends on Careful Design * Real-World Use, Risk of Open Source Code * Facebook, Instagram Are Phishers' Favorite Social Platforms* Why Are We Still Celebrating World Password Day?* World Password Day or * Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro* Digital Ad-Fraud Losses Decline * Study Exposes Breadth of Cyber Risk* 8 Personality Traits for Cybersecurity
News
Krebs on Security
* Feds Bust Up Dark Web Hub Wall Street Market* Credit Union Sues Fintech Giant Fiserv Over Security Claims* Data: E-Retail Hacks More Lucrative Than Ever* P2P Weakness Exposes Millions of IoT Devices* Who's Behind the RevCode WebMonitor RAT?* Marcus "MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware* Wipro Intruders Targeted Other Major IT Firms* How Not to Acknowledge a Data Breach* Experts: Breach at IT Outsourcing Giant Wipro* 'Land Lordz' Service Powers Airbnb Scams
The Hacker News
* Israel Neutralizes Cyber Attack by Blowing Up A Building With Hackers* Europol Shuts Down Two Major Illegal 'Dark Web' Trading Platforms* Pre-Installed Software Flaw Exposes Most Dell Computers to Remote Hacking* Google Adds New Option to 'Auto-Delete' Your Location History and Activity Data* WikiLeaks' Julian Assange Sentenced to 50 Weeks in UK Jail* CompTIA Certification Training Courses — Avail Awesome 95% Discount* DHS Orders Federal Agencies to Patch Critical Flaws Within 15 Days* Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware* Over Dozen Popular Email Clients Found Vulnerable to Signature Spoofing Attacks* Rapidly Growing Electrum Botnet Infects Over 152,000 Users; Steals $4.6 Million
Security Week
* Industry Reactions to Cybersecurity Workforce Executive Order* 5G Conference Warns on Security as Huawei Controversy Rages* Israel Bombs Hamas Cyber HQ in Response to Cyberattack* Google Announces Fourth-Annual Capture the Flag Event* Why Every Organization Needs to Rethink Workload Protection* Magecart Skimming Attack Hits Hundreds of Campus e-Commerce Sites* European, US Investigators Make Major Darknet Bust* Hundreds of Git Repositories Held for Ransom* 2020 Campaign Staffers Being Trained to Handle Cyber Threats* Mozilla Bans Firefox Extensions Containing Obfuscated Code* CrowdStrike Endpoint Security Platform Now Detects Firmware Attacks* New Strain of Android Malware Found on Third-Party App Store * UK Publishes Proposed Regulation for IoT Device Security* Vulnerabilities Found in Over 100 Jenkins Plugins* Level the Security Operations Playing Field With MITRE ATT&CK* German Police Shut Down Major 'Darknet' Illegal Trading Site* Trump Signs Executive Order to Bolster Cybersecurity Workforce* TSA Lacks Cybersecurity Expertise to Manage Pipeline Security Program: Report* DoS Attack Blamed for U.S. Grid Disruptions: Report* Dell Patches Remote Code Execution Vulnerability in SupportAssist Client
News
Infosecurity Magazine
* War Against Fraudsters Looks Winnable, Report Says* Nearly Half of US Orgs Not Ready for CCPA* Senate Passed Fed Cyber Workforce Program Act * Experts Warn of Office 365 Account Takeover Surge* BYOD Risks Grow as Half of Firms Fail on Policies* Europol: Two More Dark Web Marketplaces Seized* TinyPOS: Handcrafted Malware in Assembly Code* New Exploits Target Components of SAP Applications* Putin Signs Law to 'Stabilize' Russian Internet * UK IT Bosses Failing on Password Best Practices
Threat Post
* Avengers: Endgame Sites Promise Digital Downloads, Deliver Info-Harvesting* High-Severity PrinterLogic Flaws Enable Remote Code Execution* Tor Security Add-On Abruptly Killed by Mozilla Bug* Extinguishing the IoT Insecurity Dumpster Fire* Amid Bug Bounty Hype, Sometimes Security is Left in the Dust* Researchers Weigh in on Trump's Cyber Workforce Executive Order* News Wrap: Cartoon Network Hack, the Catholic Church and Jason Statham Scams* Retefe Banking Trojan Resurfaces, Says Goodbye to Tor* Multiple Sierra Wireless AirLink Routers Open to Remote Code Execution* Critical Flaws Found in Eight Wireless Presentation Systems
Naked Security
* Mozilla bug throws Tor Browser users into chaos* Belgian programmer solves cryptographic puzzle - 15 years too soon!* Criminals are hiding in Telegram - but backdoors are not the answer* Cryptocoin theft, scam and fraud could total more than $1.2b in Q1* Cybersecurity experts battle for right to repair* Google rolling out auto-delete for your location and activity history* World Password Day - what (NOT!) to do* DHS policies allow unlimited, warrantless device search* Is a sticky label the answer to the IoT's security problems?* Extortionists leak data of huge firms after IT provider refuses to pay
Quick Heal - Security Simplified
* Miners snatching open source tools to strengthen their malevolent power!* 5 ways to instantly detect a phishing email and save yourself from phishing attack* PCs fail to boot up / Freeze after receiving Microsoft Windows 9-April-2019 updates and rebooting the PC* JCry - A Ransomware written in Golang!* This summer vacation let your kids explore the internet with safety of parental control* 3059 android malware detected per day in 2018 - Are you still counting on free android antivirus forprotection?* Essential cyber safety tips every woman should follow* Quick Heal Threat Report - Cryptojacking rising but Ransomware still #1 threat for consumers* GandCrab Riding Emotet's Bus!
Security Conferences* Upcoming Events in the United States* Upcoming Events In Europe* 29 Amazing TED Cybersecurity Talks (2008 - 2020)* 7 Proven Ideas for Your InfoSec Conference Delegate Acquisition Strategy* An Interview with Jack Daniel: Co-Founder of BSides!
Tools & Techniques* SQLMAP - Automatic SQL Injection Tool 1.3.5* Suricata IDPE 4.1.4* ifchk 1.1.1* TestSSL 3.0rc5* TestSSL 2.9.5-8* Lynis Auditing Tool 2.7.4* OpenSSH 8.0p1* Raptor WAF 0.6* Mandos Encrypted File System Unattended Reboot Utility 1.8.4* Stegano 0.9.3* Twint : Twitter Intelligence Tool* HostHunter : To Discover Hostnames Using OSINT* Adidnsdump : Active Directory Integrated DNS Dump Tool* Flerken : Obfuscated Command Detection Tool* ScanQLi - To Detect SQL Vulns* ParamPamPam : Tool For Brute Discover Parameters* EvilClippy : For Creating Malicious MS Office Documents* Okadminfinder 3 : To Find Admin Panel Of Site* NAXSI : WAF For NGINX* DrAFL : Fuzzing Binaries With No Source Code On Linux
Latest Zone-H Website Defacements* http://siwas.pa-rembang.go.id* http://sipp.pa-rembang.go.id* http://sipp.pa-semarang.go.id* https://www.corsham.gov.uk/maxxct.htm* https://cvrlsudan.gov.sd* https://jablawlyashe.gov.sd* http://www.comunegioiosamarea.gov.it/erky.htm* http://mj.gov.tl/stats.php* https://lamarcountyms.gov/Legito.html* http://pa-rembang.go.id* http://siverekdevlethastanesi.gov.tr* http://sanliurfaegitimarastirma.gov.tr* http://karakopruadsm.gov.tr* http://akcakaledevlethastanesi.gov.tr* http://sueadh.gov.tr/az3.php* http://surucdh.gov.tr/az3.php* http://urfadis.gov.tr/az3.php* http://urfadogumevi.gov.tr/az3.php* http://siverekadsm.gov.tr/az3.php
Proof of Concept (PoC) & Exploits
Packet Storm Security
* Wordpress Social Warfare Remote Code Execution* Zotonic 0.46 mod_admin Cross Site Scripting* Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection* SolarWinds DameWare Mini Remote Control 10.0 Denial Of Service* Instagram Auto Follow SQL Injection* Blue Angel Software Suite Command Execution* Windows PowerShell ISE / Filename Parsing Flaw Remote Code Execution* Packet Storm New Exploits For April, 2019* Ruby On Rails DoubleTap Development Mode secret_key_base Remote Code Execution* Winamp 5.12 Playlist (.pls) Buffer Overflow* Johnny You Are Fired* CentOS Web Panel Domain Field Cross Site Scripting* OpenSkos Simple Knowledge Organization System 2.0 File Disclosure* Sentrifugo Human Resource Management System 3.2 File Disclosure* MailCarrier 2.51 HELP Remote Buffer Overflow* Yum Package Manager Persistence* Spring Cloud Config 2.1.x Path Traversal* HumHub 1.3.12 Cross Site Scripting* Intelbras IWR 3000N 1.5.0 Cross Site Request Forgery* Intelbras IWR 3000N Denial Of Service* Domoticz 4.10577 Unauthenticated Remote Command Execution* Veeam ONE Reporter 9.5.0.3201 Cross Site Scripting
Exploit Database
* [remote] Pimcore * [remote] AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)* [dos] Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification* [webapps] Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution* [local] DeviceViewer 3.12.0.1 - 'user' SEH Overflow* [dos] SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)* [webapps] Agent Tesla Botnet - Information Disclosure* [webapps] Hyvikk Fleet Manager - Shell Upload* [remote] Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)* [webapps] Joomla! Component JiFile 2.3.1 - Arbitrary File Download* [webapps] Domoticz 4.10577 - Unauthenticated Remote Command Execution* [webapps] Spring Cloud Config 2.1.x - Path Traversal (Metasploit)* [webapps] HumHub 1.3.12 - Cross-Site Scripting* [webapps] Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery* [webapps] Joomla! Component ARI Quiz 3.7.4 - SQL Injection* [webapps] Intelbras IWR 3000N - Denial of Service (Remote Reboot)* [webapps] Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-site Scripting (Add/Edit Widget)* [webapps] Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-Site Scripting
AdvisoriesUS-Cert Alerts & bulletins
* AA19-122A: New Exploits for Unsecure SAP Systems* AA19-024A: DNS Infrastructure Hijacking Campaign* SB19-126: Vulnerability Summary for the Week of April 29, 2019* SB19-119: Vulnerability Summary for the Week of April 22, 2019
Symantec - Latest List
* Microsoft Internet Explorer XML External Entity Information Disclosure Vulnerability* Microsoft Azure CVE-2019-0816 Security Bypass Vulnerability* Microsoft Windows Win32k CVE-2019-0859 Local Privilege Escalation Vulnerability* Multiple CPU Hardware CVE-2017-5754 Information Disclosure Vulnerability* Multiple CPU Hardware CVE-2017-5753 Information Disclosure Vulnerability* Microsoft Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability* Microsoft Azure DevOps Server and Team Foundation Server Cross Site Scripting Vulnerability* Microsoft Windows LUAFV Driver CVE-2019-0836 Local Privilege Escalation Vulnerability* Microsoft Azure DevOps Server CVE-2019-0874 Cross Site Scripting Vulnerability* Microsoft Azure DevOps Server CVE-2019-0857 Spoofing Vulnerability* Microsoft Azure DevOps Server and Team Foundation Server Cross Site Scripting Vulnerability* Microsoft Azure DevOps Server and Team Foundation Server Cross Site Scripting Vulnerability* Microsoft Azure DevOps Server and Team Foundation Server Cross Site Scripting Vulnerability* Microsoft Azure DevOps Server CVE-2019-0869 HTML Injection Vulnerability* Microsoft Windows MS XML CVE-2019-0793 Remote Code Execution Vulnerability* Microsoft Windows MS XML CVE-2019-0795 Remote Code Execution Vulnerability* Microsoft Windows MS XML CVE-2019-0792 Remote Code Execution Vulnerability* Microsoft Internet Explorer VBScript Engine CVE-2019-0862 Remote Code Execution Vulnerability* Microsoft Open Enclave SDK CVE-2019-0876 Information Disclosure Vulnerability* Microsoft Windows MS XML CVE-2019-0791 Remote Code Execution Vulnerability* Microsoft ASP.NET Core CVE-2019-0815 Denial of Service Vulnerability* Microsoft Edge Chakra Scripting Engine CVE-2019-0739 Remote Memory Corruption Vulnerability* Microsoft Edge CVE-2019-0833 Information Disclosure Vulnerability* Microsoft Edge and Internet Explorer CVE-2019-0764 Tampering Security Bypass Vulnerability* Microsoft Windows JET Database Engine CVE-2019-0879 Remote Code Execution Vulnerability* Microsoft Windows VBScript Engine CVE-2019-0842 Remote Code Execution Vulnerability
Packet Storm Security - Latest List
Ubuntu Security Notice USN-3964-1Ubuntu Security Notice 3964-1 - Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handledcertain command line parameters. A remote attacker could use this to spoof the output of GnuPG and causeunsigned e-mail to appear signed. It was discovered that python-gnupg incorrectly handled the GPGpassphrase. A remote attacker could send a specially crafted passphrase that would allow them to control theoutput of encryption and decryption operations. Various other issues were also addressed.Ubuntu Security Notice USN-3953-2Ubuntu Security Notice 3953-2 - USN-3953-1 fixed several vulnerabilities in PHP. This update provides thecorresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. It was discovered that PHP incorrectlyhandled certain exif tags in JPEG images. A remote attacker could use this issue to cause PHP to crash,resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.Ubuntu Security Notice USN-3963-1Ubuntu Security Notice 3963-1 - It was discovered that Memcached incorrectly handled certain lru commandmessages. A remote attacker could possibly use this issue to cause Memcached to crash, resulting in a denialof service.Red Hat Security Advisory 2019-0879-01Red Hat Security Advisory 2019-0879-01 - OpenStack Networking is a pluggable, scalable, and API-drivensystem that provisions networking services to virtual machines. Its main function is to manage connectivity toand from virtual machines. Issues addressed include an incorrect validation of port settings.Dovecot 2.3 Denial Of Service Dovecot version 2.3 suffers from multiple denial of service conditions. Included in this archive is the advisory aswell as patches to address the issue.Ubuntu Security Notice USN-3962-1Ubuntu Security Notice 3962-1 - It was discovered that libpng incorrectly handled certain memory operations. Ifa user or automated system were tricked into opening a specially crafted PNG file, a remote attacker could usethis issue to cause libpng to crash, resulting in a denial of service, or possibly execute arbitrary code.Red Hat Security Advisory 2019-0935-01Red Hat Security Advisory 2019-0935-01 - OpenStack Networking is a pluggable, scalable, and API-drivensystem that provisions networking services to virtual machines. Its main function is to manage connectivity toand from virtual machines. Issues addressed include an incorrect validation of port settings.Ubuntu Security Notice USN-3961-1Ubuntu Security Notice 3961-1 - It was discovered that the Dovecot Submission login service incorrectlyhandled certain operations. A remote attacker could possibly use this issue to cause Dovecot to crash,resulting in a denial of service.Red Hat Security Advisory 2019-0919-01Red Hat Security Advisory 2019-0919-01 - OpenStack Telemetry collects customer usage data for meteringpurposes. Telemetry implements bus listener, push, and polling agents for data collection. This data is stored ina database and presented via the REST API. Issues include a sensitive data disclosure vulnerability.phpBB 3.2.5 Denial Of ServicephpBB versions 3.2.5 and below suffer from a native full text denial of service vulnerability.Red Hat Security Advisory 2019-0916-01Red Hat Security Advisory 2019-0916-01 - OpenStack Networking is a pluggable, scalable, and API-drivensystem that provisions networking services to virtual machines. Its main function is to manage connectivity toand from virtual machines. Issues addressed include an invalid port setting validation.Red Hat Security Advisory 2019-0917-01Red Hat Security Advisory 2019-0917-01 - OpenStack Block Storage manages block storage mounting and thepresentation of such mounted block storage to instances. The backend physical storage can consist of localdisks, or Fibre Channel, iSCSI, and NFS mounts attached to Compute nodes. Issues addressed include a data
retention issue post deletion.Red Hat Security Advisory 2019-0911-01Red Hat Security Advisory 2019-0911-01 - Red Hat Ceph Storage is a scalable, open, software-definedstorage platform that combines the most stable version of the Ceph storage system with a Ceph managementplatform, deployment utilities, and support services.Red Hat Security Advisory 2019-0910-01Red Hat Security Advisory 2019-0910-01 - This release of Red Hat Fuse 7.3 serves as a replacement for RedHat Fuse 7.2, and includes bug fixes and enhancements, which are documented in the Release Notesdocument linked to in the References. Issues addressed include a deserialization vulnerability.Apache Archiva 2.2.3 File Write / DeleteApache Archiva versions 2.0.0 through 2.2.3 suffer from arbitrary file write and delete vulnerabilities.Apache Archiva 2.2.3 Cross Site ScriptingApache Archiva versions 2.0.0 through 2.2.3 suffer from a persistent cross site scripting vulnerability.Ubuntu Security Notice USN-3960-1Ubuntu Security Notice 3960-1 - It was discovered that WavPack incorrectly handled certain DFF files. Anattacker could possibly use this issue to cause a denial of service.Debian Security Advisory 4437-1Debian Linux Security Advisory 4437-1 - It was discovered that a buffer overflow in the RTSP parser of theGStreamer media framework may result in the execution of arbitrary code if a malformed RSTP stream isopened.Ubuntu Security Notice USN-3959-1Ubuntu Security Notice 3959-1 - It was discovered that Evince incorrectly handled certain images. An attackercould possibly use this issue to expose sensitive information.Debian Security Advisory 4435-1Debian Linux Security Advisory 4435-1 - A use-after-free vulnerability was discovered in the png_image_free()function in the libpng PNG library, which could lead to denial of service or potentially the execution of arbitrarycode if a malformed image is processed.Red Hat Security Advisory 2019-0902-01Red Hat Security Advisory 2019-0902-01 - Python is an interpreted, interactive, object-oriented programminglanguage, which includes modules, classes, exceptions, very high level dynamic data types and dynamictyping. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Issues addressed include an information leakage vulnerability.Debian Security Advisory 4436-1Debian Linux Security Advisory 4436-1 - problems and missing or incomplete input sanitizing may result indenial of service, memory disclosure or the execution of arbitrary code if malformed TIFF or Postscript files areprocessed.Ubuntu Security Notice USN-3958-1Ubuntu Security Notice 3958-1 - It was discovered that GStreamer Base Plugins did not correctly handlecertain malformed RTSP streams. If a user were tricked into opening a crafted RTSP stream with a GStreamerapplication, an attacker could cause a denial of service via application crash, or possibly execute arbitrarycode.Ubuntu Security Notice USN-3957-1Ubuntu Security Notice 3957-1 - Multiple security issues were discovered in MySQL and this update includes anew upstream MySQL version to fix these issues. Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 18.10, andUbuntu 19.04 have been updated to MySQL 5.7.26. In addition to security fixes, the updated packages containbug fixes, new features, and possibly incompatible changes. Various other issues were also addressed.
