03-19

Weekly Awareness Report (WAR)

March 19, 2019

The Cyber Intelligence Report is an Open Source Intelligence AKA OSINT resource focusing on advanced persistent threatsand other digital dangers received by over ten thousand individuals. APTs fit into a cybercrime category directed at bothbusiness and political targets. Attack vectors include system compromise, social engineering, and even traditionalespionage. Included are clickable links to news stories, vulnerabilities, exploits, & other industry risk.

Summary

Symantec ThreatCon Low: Basic network posture

This condition applies when there is no discernible network incident activity and no maliciouscode activity with a moderate or severe risk rating. Under these conditions, only a routinesecurity posture, designed to defeat normal network threats, is warranted. Automated systemsand alerting mechanisms should be used.

Sophos: last 10 Malware* Troj/Ransom-FHO* Troj/PDFUri-HCT* Troj/VB-KDV* Troj/Phish-ESG* Troj/Nymaim-JB* Troj/Remcos-GY* Troj/Nymaim-JA* Troj/Phish-ESF* Troj/PDFUri-HCS* Troj/Qbot-ES

Last 10 PUAs* Max Secure SoftwareInstaller* PC Hunter* Network Scanner* IStartSurfInstaller* RevCode WebMonitorClient* BrowserIO* Genieo* Bundlore* SurfBuyer* FutureXGame

Interesting News

* Spam and phishing in 20182018 showed that cybercriminals continue to keep a close eye on global events and use them to achieve their goals. Wehave seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in2019.

* * If you are interested, we have an active FaceBook Group and YouTube Channel. As always, if you have anysuggestions, feel free to let us know. Subscribe if you would like to receive the CIR updates: CIR@informationwarfarecenter.com

Index of Sections

Current News

* Packet Storm Security

* Dark Reading

* Krebs on Security

* The Hacker News

* McAfee

* Threat Post

* Naked Security

* Quick Heal - Security Simplified

Critical Infrastructure

* Security Magazine's Latest Published

Hacker Corner: Tools, Hacked Defacements, and Exploits

* Packet Storm Security Latest Published Tools

* Zone-H Latest Published Website Defacements

* Packet Storm Security Latest Published Exploits

* Exploit Database Releases

Advisories

* Secunia Chart of Vulnerabilities Identified

* US-Cert (Current Activity-Alerts-Bulletins)

* Symantec's Latest List

* Packet Storm Security's Latest List

Credits

News

Packet Storm Security

* Hacker Returns And Puts 26Mil User Records For Sale On The Dark Web* Lenovo Patches Intel Firmware Flaws In Multiple Product Lines* How Hackers Pulled Off A $20 Million Bank Heist* Facial Recognition 101: Your Face Is Your New Fingerprint* Beto O'Rourke's Secret Membership In The cDc* Beto O'Rourke Has Serious Hacker Credentials* You're Now In A Timeline In Which A US Presidential Hopeful Was In A Legendary Hacker Group* WordPress Releases 14 Fixes In Latest Security Updates* Google May Face Investigation Over Antitrust, Privacy Issues* Singapore Public Sector Reports Yet Another Security Lapse* Beto O'Rourke Was Part Of The Cult Of The Dead Cow* Facebook Under Criminal Investigation Over Data Sharing With Tech Firms* Threat Groups SandCat, FruityArmor Exploiting Microsoft Win32k Flaw* Proof Of Concept Code Published For Windows 7 Zero Day* Tesla Allegedly Spied On And Ran Smear Campaign On A Whistleblower* Facebook And Instagram Suffer Most Severe Outage Ever* Senators Want To Know When They've Been Hacked* U.S. Navy Taken To Task For Cybersecurity Flaws* Yelp For MAGAs App Maker Fails Miserably At Design, Calls FBI On Security Researcher* Study: Hacking 10% Of Self Driving Cars Would Cause Gridlock In NYC* Police Bust Man For Selling 1 Million Netflix, Spotify Passwords* Almost 150 Million Users Impacted By New SimBad Android Malware* Unpatched Windows Bug Allows Attackers To Spoof Security Dialog Boxes* Researcher Claims Iranian APT Behind 6TB Data Heist At Citrix* Facebook Phishing Campaign Hitting iOS Users

Dark Reading

* New IoT Security Bill: Third Time's the Charm?* New Europol Protocol Addresses Cross-Border Cyberattacks* Dragos Buys ICS Firm with US Dept. of Energy Roots* Are You Prepared for a Zombie (Domain) Apocalypse?* Don't Miss these Intriguing Black Hat Asia Briefings* 7 Low-Cost Security Tools* Could Beto O'Rourke Become the First Hacker President?* Proof-of-Concept Tracking System Finds RATs Worldwide* On Norman Castles and the Internet* Criminals Use One Line of Code to Steal Card Data from E-Commerce Sites* Ransomware's New Normal* Anomaly Detection Techniques: Defining Normal * US Prosecutors Investigate Facebook's Data-Sharing Deals* Businesses Increase Investments in AI and Machine Learning* Join Your Peers at the Black Hat Asia Executive Summit* 4 Reasons to Take an 'Inside Out' View of Security* New Malware Shows Marketing Polish* Three in Five Politicians' Websites Don't Use HTTPS* Autism, Cybercrime, and Security's Skill Struggle

News

Krebs on Security

* Why Phone Numbers Stink As Identity Proof* Ad Network Sizmek Probes Account Breach* Patch Tuesday, March 2019 Edition* Insert Skimmer + Camera Cover PIN Stealer* MyEquifax.com Bypasses Credit Freeze PIN* Hackers Sell Access to Bait-and-Switch Empire* Booter Boss Interviewed in 2014 Pleads Guilty* Crypto Mining Service Coinhive to Call it Quits* Former Russian Cybersecurity Chief Sentenced to 22 Years in Prison* Payroll Provider Gives Extortionists a Payday

The Hacker News

* Round 4 — Hacker Puts 26 Million New Accounts Up For Sale On Dark Web* Patched WinRAR Bug Still Under Active Attack—Thanks to No Auto-Updates* Telegram Gained 3 Million New Users During WhatsApp, Facebook Outage* New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites* Zero-Day Flaws in Counter-Strike 1.6 Let Malicious Servers Hack Gamers' PCs* AWS Certification Training Courses - Get 2019 Bundle @ 96% OFF* Firefox Send — Free Encrypted File Transfer Service Now Available For All* Microsoft Releases Patches for 64 Flaws — Two Under Active Attack* Adobe Releases Patches for Critical Flaws in Photoshop CC and Digital Edition* Cynet is offering unhappy competitors' customers a refund for the time remaining on existing contracts

Security Week

* New Mirai Variant Targets Enterprise IoT Devices* Slack Introduces Enterprise Key Management Tool* 'Shameless' Scammers Seek to Cash in on Christchurch Massacre* Android Q Brings New Privacy and Security Features* EU Adopts New Response Protocol for Major Cyberattacks* Not All Context in Threat Intelligence is Created Equal* Chrome, Firefox Get Windows Defender Application Guard Extensions * Australia's Intelligence Agency Publishes its Vulnerability Disclosure Process* Beto O'Rourke 'Mortified' Over Articles Written as Teen Member of Cult of the Dead Cow Hacker Group* Dragos Acquires NexDefense, Releases Free ICS Assessment Tools* Ukraine Ready to Take on Russian Election Hackers* EU to Slap Google With Fresh Fine: Sources* Google Took Down 2.3 Billion Bad Ads in 2018* E-Commerce Company Gearbest Leaked User Information* China Does Not Ask Firms to Spy on Others: Premier* Hackers Bypass MFA on Cloud Accounts via IMAP Protocol* Uncovering the Data Security Triad* Recently Patched WinRAR Flaw Exploited in APT Attacks* G Suite Admins Can Now Disable Phone 2-SV* Leading Israeli Candidate for PM Targeted by Iranian Hackers

News

McAfee

* How to Safeguard Your Family Against A Medical Data Breach* Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)* McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future?* Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics* ST02: Mobile World Congress 2019 Recap with Gary Davis* 5 Tips For Creating Bulletproof Passwords* Artificial Intelligence, Machine Learning and More at RSAC 2019* You Rang? New Voice Phishing Attack Tricks Unsuspecting Users* ST02: Mobile World Congress 2019 Recap with Gary Davis* How to Make Sure Spring Break Doesn't Wreck Your Digital Rep

Threat Post

* Fourth Major Credential Spill in a Month Hits DreamMarket* Mirai Variant Goes After Enterprise Systems* Google Gives Users More Choice with Location-Tracking Apps* Privacy Regulations Needed for Next-Gen Cars* Lenovo Patches Intel Firmware Flaws in Multiple Product Lines* Unpatched Fujitsu Wireless Keyboard Bug Allows Keystroke Injection* Threatlist: IMAP-Based Attacks Compromising Accounts at 'Unprecedented Scale'* Zero-Days in Counter-Strike Client Used to Build Major Botnet* Cisco Patches Critical 'Default Password' Bug* GlitchPOS Malware Appears to Steal Credit-Card Numbers

Naked Security

* Home DNA kit company now lets users opt out of FBI data sharing* DARPA is working on an open source, secure e-voting system* Intel releases patches for code execution vulnerabilities* G Suite admins can now disallow SMS and voice authentication* WordPress 5.1.1 patches dangerous XSS vulnerability* Monday review - the hot 23 stories of the week* Sextortion - what's new, and what to do [VIDEO]* You left WHAT on that USB drive?!* Ep. 023 - Facebook promises and Google Chrome patches [PODCAST]* Facebook outage coincides with (or causes?) 3m new Telegram users

Quick Heal - Security Simplified

* Essential cyber safety tips every woman should follow* Quick Heal Threat Report - Cryptojacking rising but Ransomware still #1 threat for consumers* GandCrab Riding Emotet's Bus!* This Valentine fall for true love not for fake online dating apps* 28 Fake Apps removed from Google Play Store post Quick Heal Security Lab reports* 3 essential ways to strengthen your business data security* Anatova, A modular ransomware* Mongolock Ransomware deletes files and targets databases* GandCrab Ransomware along with Monero Miner and Spammer

Critical Infrastructure* Natural Disasters Cost the U.S. $91 Billion in 2018* Study on Electric Grid Resiliency Finds Urgent Need for Cybersecurity Investments * IATA Releases 2018 Airline Safety Performance* AAPA Says $4 Billion Needed to Protect Ports and Supply Chain Security* AAPA Says $4 Billion Needed to Protect Ports and Supply Chain Security* Beazley, Marsh Launch Cyber Insurance for Manufacturers

Tools* UFONet 1.3* Suricata IDPE 4.1.3* Lynis Auditing Tool 2.7.2* Stegano 0.9.1* AIDE 0.16.1* SQLMAP - Automatic SQL Injection Tool 1.3.3* Wireshark Analyzer 3.0.0* Wireshark Analyzer 2.6.7* OpenSSL Toolkit 1.1.1b* Faraday 3.6.0* Ways to Play Retro Games * Five Little-Known Ways to Increase Security in Today's Risky Environment

Zone-H Website DefacementsUnfortunately, at the time of this report, the resource was not availible.You can access this resourse here:http://www.zone-h.org/rss/specialdefacements

Proof of Concept (PoC) & Exploits

Packet Storm Security

* Jenkins ACL Bypass / Metaprogramming Remote Code Execution* exacqVision 9.8 Unquoted Service Path Privilege Escalation* libseccomp Incorrect Compilation Of Arithmetic Comparisons* Gitea 1.7.3 HTML Injection* TheCarProject 2 SQL Injection* WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 Denial Of Service* WinMPG Video Convert 9.3.5 Denial Of Service* WordPress FormCraft 2.0 CSRF / Shell Upload* CSZ CMS 1.2.1 Arbitrary File Upload* PHP MySQLi Database Class 2.9.2 SQL Injection* Webmin 1.900 Upload Authenticated Remote Command Execution* BMC Patrol Agent Privilege Escalation / Command Execution* Moodle 3.4.1 Remote Code Execution* Mail Carrier 2.5.1 Buffer Overflow* ICE HRM 23.0 SQL / Iframe Injection* CMS Made Simple Showtime2 3.6.2 Arbitrary File Upload* Vembu Storegrid Web Interface 4.4.0 Cross Site Scripting / Information Disclosure* NetData 1.13.0 HTML Injection* Laundry CMS SQL / Iframe Injection* Apache UNO API Remote Code Execution* Pegasus CMS 1.0 Remote Code Execution* FTPGetter Standard 5.97.0.177 Remote Code Execution

Exploit Database

* [local] WinRAR 5.61 - Path Traversal* [webapps] Moodle 3.4.1 - Remote Code Execution* [webapps] Laundry CMS - Multiple Vulnerabilities* [webapps] Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities* [webapps] ICE HRM 23.0 - Multiple Vulnerabilities* [remote] Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow* [webapps] CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload* [webapps] NetData 1.13.0 - HTML Injection* [remote] Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution* [remote] FTPGetter Standard 5.97.0.177 - Remote Code Execution* [webapps] Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution* [webapps] Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)* [remote] Apache Tika-server * [remote] elFinder PHP Connector * [webapps] pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting* [webapps] WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion* [local] Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution* [dos] Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal* [dos] Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal* [dos] Microsoft Windows - '.reg' File / Dialog Box Message Spoofing* [dos] Core FTP 2.0 build 653 - 'PBSZ' Denial of Service (PoC)

AdvisoriesUS-Cert Alerts & bulletins

* AA19-024A: DNS Infrastructure Hijacking Campaign* AA18-337A: SamSam Ransomware* SB19-077: Vulnerability Summary for the Week of March 11, 2019* SB19-070: Vulnerability Summary for the Week of March 4, 2019

Symantec - Latest List

* Microsoft Windows Win32k CVE-2019-0808 Local Privilege Escalation Vulnerability* Microsoft NuGet Package Manager CVE-2019-0757 Tampering Security Bypass Vulnerability* Microsoft Windows Common Control Library CVE-2019-0765 Remote Code Execution Vulnerability* Microsoft Internet Explorer CVE-2019-0763 Remote Memory Corruption Vulnerability* Microsoft Windows CVE-2019-0754 Local Denial of Service Vulnerability* Microsoft Edge CVE-2019-0612 Security Bypass Vulnerability* Microsoft Windows Active Directory CVE-2019-0683 Remote Privilege Escalation Vulnerability* Microsoft Windows Hyper-V CVE-2019-0690 Remote Denial of Service Vulnerability* Microsoft Windows JET Database Engine CVE-2019-0617 Remote Code Execution Vulnerability* Microsoft Azure CVE-2019-0816 Security Bypass Vulnerability* Microsoft Internet Explorer and Edge CVE-2019-0780 Remote Memory Corruption Vulnerability* Microsoft Edge CVE-2019-0678 Remote Privilege Escalation Vulnerability* Microsoft Edge CVE-2019-0779 Remote Memory Corruption Vulnerability* Microsoft Windows Print Spooler CVE-2019-0759 Information Disclosure Vulnerability* Microsoft Visual Studio CVE-2019-0809 Remote Code Execution Vulnerability* Microsoft Internet Explorer CVE-2019-0761 Security Bypass Vulnerability* Microsoft Windows CVE-2019-0766 Local Privilege Escalation Vulnerability* Microsoft Windows SMB Server CVE-2019-0704 Information Disclosure Vulnerability* Microsoft Windows SMB Server CVE-2019-0703 Information Disclosure Vulnerability* Microsoft Internet Explorer CVE-2019-0768 Security Bypass Vulnerability* Microsoft Windows Hyper-V CVE-2019-0701 Remote Denial of Service Vulnerability* Microsoft Windows Hyper-V CVE-2019-0695 Remote Denial of Service Vulnerability* Microsoft Windows Subsystem for Linux CVE-2019-0694 Local Privilege Escalation Vulnerability* Microsoft Windows Subsystem for Linux CVE-2019-0693 Local Privilege Escalation Vulnerability* Microsoft Windows Subsystem for Linux CVE-2019-0692 Local Privilege Escalation Vulnerability* Microsoft Windows GDI Component CVE-2019-0774 Information Disclosure Vulnerability

Packet Storm Security - Latest List

Red Hat Security Advisory 2019-0597-01Red Hat Security Advisory 2019-0597-01 - The cloud-init packages provide a set of init scripts for cloudinstances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, andto let the user run various scripts. An issue with extra ssh keys being added has been addressed.Debian Security Advisory 4408-1Debian Linux Security Advisory 4408-1 - Multiple security issues were discovered in liveMedia, a set of C++libraries for multimedia streaming which could result in the execution of arbitrary code or denial of service whenparsing a malformed RTSP stream.Red Hat Security Advisory 2019-0593-01Red Hat Security Advisory 2019-0593-01 - The OpenStack Load Balancing service provides a LoadBalancing-as-a-Service version 2 implementation for Red Hat OpenStack platform director based installations.This update fixes an issue where private keys were written to world-readable log files.Ubuntu Security Notice USN-3911-1Ubuntu Security Notice 3911-1 - It was discovered that file incorrectly handled certain malformed ELF files. Anattacker could use this issue to cause a denial of service, or possibly execute arbitrary code.Red Hat Security Advisory 2019-0580-01Red Hat Security Advisory 2019-0580-01 - OpenStack Telemetry collects customer usage data for meteringpurposes. Telemetry implements bus listener, push, and polling agents for data collection. This data is stored ina database and presented via the REST API. This update addresses an sensitive data leak.Red Hat Security Advisory 2019-0590-01Red Hat Security Advisory 2019-0590-01 - Ansible is a simple model-driven configuration management,multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require anysoftware or daemons to be installed on remote nodes. Extension modules can be written in any language andare transferred to managed machines automatically. Issues addressed include an information leakagevulnerability.Ubuntu Security Notice USN-3910-1Ubuntu Security Notice 3910-1 - It was discovered that the f2fs filesystem implementation in the Linux kerneldid not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial ofservice. It was discovered that the procfs filesystem did not properly handle processes mapping some memoryelements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to reportoperating system state, such as ps. Various other issues were also addressed.Ubuntu Security Notice USN-3910-2Ubuntu Security Notice 3910-2 - USN-3910-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS.This update provides the corresponding updates for the Linux Hardware Enablement kernel from Ubuntu 16.04LTS for Ubuntu 14.04 LTS. It was discovered that the f2fs filesystem implementation in the Linux kernel did nothandle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service.Various other issues were also addressed.Fujitsu LX901 GK900 Keystroke InjectionSySS GmbH found out that the wireless desktop set Fujitsu LX901 is vulnerable to keystroke injection attacksby sending unencrypted data packets with the correct packet format to the receiver (USB dongle).VMware Security Advisory 2019-0003VVMware Security Advisory 2019-0003 - VMware Horizon update addresses Connection Server an informationdisclosure vulnerability.VMware Security Advisory 2019-0002VMware Security Advisory 2019-0002 - VMware Workstation update addresses elevation of privilege issues.Ubuntu Security Notice USN-3909-1Ubuntu Security Notice 3909-1 - It was discovered that libvirt incorrectly handled waiting for certain agentevents. An attacker inside a guest could possibly use this issue to cause libvirtd to stop responding, resulting in

a denial of service.Ubuntu Security Notice USN-3908-2Ubuntu Security Notice 3908-2 - USN-3908-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS.This update provides the corresponding updates for the Linux Hardware Enablement kernel from Ubuntu 14.04LTS for Ubuntu 12.04 ESM. Jann Horn discovered a race condition in the fork system call in the Linux kernel. Alocal attacker could use this to gain access to services that cache authorizations. Various other issues werealso addressed.Cisco Common Service Platform Collector Hardcoded CredentialsThe Cisco Common Service Platform Collector versions 2.7.2 through 2.7.4.5 and all releases of 2.8.x prior to2.8.1.2 contain hardcoded credentials.Red Hat Security Advisory 2019-0567-01Red Hat Security Advisory 2019-0567-01 - The OpenStack Load Balancing service provides a LoadBalancing-as-a-Service version 2 implementation for Red Hat OpenStack platform director based installations.Issues addressed include a flaw where private keys are being written to world-readable log files.Red Hat Security Advisory 2019-0564-01Red Hat Security Advisory 2019-0564-01 - Ansible is a simple model-driven configuration management,multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require anysoftware or daemons to be installed on remote nodes. Extension modules can be written in any language andare transferred to managed machines automatically. Issues addressed include an information leakagevulnerability.Red Hat Security Advisory 2019-0566-01Red Hat Security Advisory 2019-0566-01 - OpenStack Telemetry collects customer usage data for meteringpurposes. Telemetry implements bus listener, push, and polling agents for data collection. This data is stored ina database and presented via the REST API. Issues addressed include a sensitive data disclosurevulnerability.Red Hat Security Advisory 2019-0547-01Red Hat Security Advisory 2019-0547-01 - The haproxy packages provide a reliable, high-performance networkload balancer for TCP and HTTP-based applications. Security fix: haproxy: Mishandling of priority flag in shortHEADERS frame by HTTP/2 decoder allows for crash. Red Hat Security Advisory 2019-0548-01Red Hat Security Advisory 2019-0548-01 - The haproxy packages provide a reliable, high-performance networkload balancer for TCP and HTTP-based applications. Security fix: haproxy: Mishandling of priority flag in shortHEADERS frame by HTTP/2 decoder allows for crash. Gentoo Linux Security Advisory 201903-14Gentoo Linux Security Advisory 201903-14 - Multiple vulnerabilities have been found in Oracleas JDK and JREsoftware suites. Versions less than 1.8.0.202 are affected.Gentoo Linux Security Advisory 201903-13Gentoo Linux Security Advisory 201903-13 - Multiple vulnerabilities have been found in BIND, the worst ofwhich could result in a Denial of Service condition. Versions less than 9.12.1_p2-r1 are affected.Gentoo Linux Security Advisory 201903-12Gentoo Linux Security Advisory 201903-12 - Multiple vulnerabilities have been found in WebkitGTK+, the worstof which could result in the arbitrary execution of code. Versions less than 2.22.6 are affected.Gentoo Linux Security Advisory 201903-11Gentoo Linux Security Advisory 201903-11 - A vulnerability was discovered in XRootD which could lead to theremote execution of code. Versions less than 4.8.3 are affected.Gentoo Linux Security Advisory 201903-10Gentoo Linux Security Advisory 201903-10 - Multiple Information Disclosure vulnerabilities in OpenSSL allowattackers to obtain sensitive information. Versions less than 1.0.2r are affected.

https://www.informationwarfarecenter.com