Daily Archives: July 10, 2018

How the University of Texas at Austin Secures 100,000-Fan Football Games

“For us, a game day activity is no small matter,” says James (Jimmy) Johnson, Assistant Vice President for Campus Safety at the University of Texas at Austin.

No kidding – Longhorn football games regularly sell out, hosting more than 100,000 fans in the Darrel K Royal (DKR)-Texas Memorial Stadium, not counting the small army of vendors, staff, security personnel and law enforcement that keep operations running smoothly.

How to Receive a Clean SOC 2 Report

Controls—SOC 2 is all about controls. It’s right there in the name: Service Organization Controls, S-O-C. A SOC 2 report is a de facto requirement for any organization that wants to store any customer data in the cloud, which means most SaaS or cloud service providers. Unlike PCI DSS, which is prescriptive and very technical, […]… Read More

The post How to Receive a Clean SOC 2 Report appeared first on The State of Security.

IBM QRadar SIEM Unauthenticated Remote Code Execution

IBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies to write a file to disk and execute that file as the "nobody" user. The third and final stage occurs when the file executed as "nobody" writes an entry into the database that causes QRadar to execute a shell script controlled by the attacker as root within the next minute. Details about these vulnerabilities can be found in the advisories listed in References. The Forensics web application is disabled in QRadar Community Edition, but the code still works, so these vulnerabilities can be exploited in all flavors of QRadar. This Metasploit module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8 patch 12 and 7.3.1 patch 3 are vulnerable. Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.

CVE-2018-13879

A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control characters but an error will be displayed that shows the attempted username unescaped via packages/rocketchat-ui-login/client/username/username.js in packages/rocketchat-ui-login/client/username/username.html.

CVE-2018-13878

An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel.

Cisco Nexus 3000 and 9000 Series CLI and Simple Network Management Protocol Polling Denial of Service Vulnerability

A vulnerability in the implementation of a specific CLI command and the associated Simple Network Management Protocol (SNMP) MIB for Cisco Nexus 3000 and 9000 Series Switches could allow an authenticated, remote attacker to exhaust system memory on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to the incorrect implementation of the CLI command, resulting in a failure to free all allocated memory upon completion. An attacker could exploit this vulnerability by authenticating to the affected device and repeatedly issuing a specific CLI command or sending a specific SNMP poll request for a specific Object Identifier (OID). A successful exploit could allow the attacker to cause the IP routing process to restart or to cause a device reset, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-n3k-n9k-clisnmp

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0309

CVE-2018-8325 (edge)

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8289, CVE-2018-8297, CVE-2018-8324.

CVE-2018-8356

A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates, aka ".NET Framework Security Feature Bypass Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, ASP.NET Core 1.1, Microsoft .NET Framework 4.5.2, ASP.NET Core 2.0, ASP.NET Core 1.0, .NET Core 1.1, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 1.0, .NET Core 2.0, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.

CVE-2018-8311

A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content, aka "Remote Code Execution Vulnerability in Skype For Business and Lync." This affects Skype, Microsoft Lync.

CVE-2018-8310

A tampering vulnerability exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails, aka "Microsoft Office Tampering Vulnerability." This affects Microsoft Word, Microsoft Office.

CVE-2018-8323

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-8299.

CVE-2018-8327

A remote code execution vulnerability exists in PowerShell Editor Services, aka "PowerShell Editor Services Remote Code Execution Vulnerability." This affects PowerShell Editor, PowerShell Extension.

CVE-2018-8319

A Security Feature Bypass vulnerability exists in MSR JavaScript Cryptography Library that is caused by incorrect arithmetic computations, aka "MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability." This affects Microsoft Research JavaScript Cryptography Library.

CVE-2018-8325

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8289, CVE-2018-8297, CVE-2018-8324.

CVE-2018-8314

An elevation of privilege vulnerability exists when Windows fails a check, allowing a sandbox escape, aka "Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2008 R2, Windows 10. This CVE ID is unique from CVE-2018-8313.

CVE-2018-8313

An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions, aka "Windows Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8314.

CVE-2018-8312

A remote code execution vulnerability exists when Microsoft Access fails to properly handle objects in memory, aka "Microsoft Access Remote Code Execution Vulnerability." This affects Microsoft Access, Microsoft Office.

CVE-2018-8324

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8289, CVE-2018-8297, CVE-2018-8325.

CVE-2018-8309

A denial of service vulnerability exists when Windows improperly handles objects in memory, aka "Windows Denial of Service Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CVE-2018-8326

A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Open Source Customization for Active Directory Federation Services XSS Vulnerability." This affects Web Customizations.

CVE-2018-8297 (edge)

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8289, CVE-2018-8324, CVE-2018-8325.

CVE-2018-8289 (edge)

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8297, CVE-2018-8324, CVE-2018-8325.

CVE-2018-8280 (chakracore, edge)

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8286, CVE-2018-8290, CVE-2018-8294.

CVE-2018-8290 (chakracore, edge)

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8286, CVE-2018-8294.

CVE-2018-8294 (chakracore, edge)

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8286, CVE-2018-8290.

CVE-2018-8286 (chakracore, edge)

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8290, CVE-2018-8294.

CVE-2018-8301 (edge)

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8279.

CVE-2018-8300

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka "Microsoft SharePoint Remote Code Execution Vulnerability." This affects Microsoft SharePoint.

CVE-2018-8298

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296.

CVE-2018-8304

A denial of service vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses, aka "Windows DNSAPI Denial of Service Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CVE-2018-8297

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8289, CVE-2018-8324, CVE-2018-8325.

CVE-2018-8301

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8279.

CVE-2018-8296

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 11. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8298.

CVE-2018-8305

An information disclosure vulnerability exists in Windows Mail Client when a message is opened, aka "Windows Mail Client Information Disclosure Vulnerability." This affects Mail, Calendar, and People in Windows 8.1 App Store.

CVE-2018-8306

A command injection vulnerability exists in the Microsoft Wireless Display Adapter (MWDA) when the Microsoft Wireless Display Adapter does not properly manage user input, aka "Microsoft Wireless Display Adapter Command Injection Vulnerability." This affects Microsoft Wireless Display Adapter V2 Software.

CVE-2018-8299

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-8323.

CVE-2018-8307

A security feature bypass vulnerability exists when Microsoft WordPad improperly handles embedded OLE objects, aka "WordPad Security Feature Bypass Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CVE-2018-8308

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CVE-2018-8290

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8286, CVE-2018-8294.

CVE-2018-8283

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8242, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296, CVE-2018-8298.

CVE-2018-8289

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8297, CVE-2018-8324, CVE-2018-8325.

CVE-2018-8294

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8286, CVE-2018-8290.

CVE-2018-8288

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8291, CVE-2018-8296, CVE-2018-8298.

CVE-2018-8284

A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.

CVE-2018-8280

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8286, CVE-2018-8290, CVE-2018-8294.

CVE-2018-8287

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge, Internet Explorer 10. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296, CVE-2018-8298.

CVE-2018-8291

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8296, CVE-2018-8298.

CVE-2018-8286

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8290, CVE-2018-8294.

CVE-2018-8281

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability." This affects Microsoft Excel Viewer, Microsoft PowerPoint Viewer, Microsoft Office, Microsoft Office Word Viewer.

CVE-2018-8282

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CVE-2018-8125 (edge)

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8279, CVE-2018-8301.

CVE-2018-8274 (edge)

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8275, CVE-2018-8279, CVE-2018-8301.

CVE-2018-8279 (chakracore, edge)

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8301.

CVE-2018-8275 (chakracore, edge)

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8279, CVE-2018-8301.

CVE-2018-8262 (edge)

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8125, CVE-2018-8274, CVE-2018-8275, CVE-2018-8279, CVE-2018-8301.

CVE-2018-8262

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8125, CVE-2018-8274, CVE-2018-8275, CVE-2018-8279, CVE-2018-8301.

CVE-2018-8260

A Remote Code Execution vulnerability exists in .NET software when the software fails to check the source markup of a file, aka ".NET Framework Remote Code Execution Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 4.7.2.

CVE-2018-8242

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296, CVE-2018-8298.

CVE-2018-8238

A security feature bypass vulnerability exists when Skype for Business or Lync do not properly parse UNC path links shared via messages, aka "Skype for Business and Lync Security Feature Bypass Vulnerability." This affects Skype, Microsoft Lync.

CVE-2018-8222

A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

CVE-2018-8232

A Tampering vulnerability exists when Microsoft Macro Assembler improperly validates code, aka "Microsoft Macro Assembler Tampering Vulnerability." This affects Microsoft Visual Studio.

CVE-2018-8275

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8279, CVE-2018-8301.

CVE-2018-8172

A remote code execution vulnerability exists in Visual Studio software when the software does not check the source markup of a file for an unbuilt project, aka "Visual Studio Remote Code Execution Vulnerability." This affects Microsoft Visual Studio, Expression Blend 4.

CVE-2018-8125

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8279, CVE-2018-8301.

CVE-2018-8274

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8275, CVE-2018-8279, CVE-2018-8301.

CVE-2018-8171

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2.

CVE-2018-0949

A security feature bypass vulnerability exists when Microsoft Internet Explorer improperly handles requests involving UNC resources, aka "Internet Explorer Security Feature Bypass Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10.

CVE-2018-8276

A security feature bypass vulnerability exists in the Microsoft Chakra scripting engine that allows Control Flow Guard (CFG) to be bypassed, aka "Scripting Engine Security Feature Bypass Vulnerability." This affects Microsoft Edge, ChakraCore.

CVE-2018-8202

An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level, aka ".NET Framework Elevation of Privilege Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.

CVE-2018-8206

A denial of service vulnerability exists when Windows improperly handles File Transfer Protocol (FTP) connections, aka "Windows FTP Server Denial of Service Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CVE-2018-8279

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8301.

Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally

Introduction

FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country’s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base in the United States and a chemical company based in Europe. Our previous blog post focused on the group’s targeting of engineering and maritime entities in the United States.

Overall, this activity indicates that the group maintains an extensive intrusion architecture and wide array of malicious tools, and targets a large victim set, which is in line with typical Chinese-based APT efforts. We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations. Additionally, this group is clearly able to run several large-scale intrusions concurrently across a wide range of victim types.

Our analysis also strengthened our overall attribution of this group. We observed the toolsets we previously attributed to this group, their observed targets are in line with past group efforts and also highly similar to known Chinese APT efforts, and we identified an IP address originating in Hainan, China that was used to remotely access and administer a command and control (C2) server.

TEMP.Periscope Background

Active since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities (targeting is summarized in Figure 1). The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting by Proofpoint and F-Secure on "NanHaiShu."


Figure 1: Summary of TEMP.Periscope activity

Incident Background

FireEye analyzed files on three open indexes believed to be controlled by TEMP.Periscope, which yielded insight into the group's objectives, operational tactics, and a significant amount of technical attribution/validation. These files were "open indexed" and thus accessible to anyone on the public internet. This TEMP.Periscope activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia's government and elections.

  • Two servers, chemscalere[.]com and scsnewstoday[.]com, operate as typical C2 servers and hosting sites, while the third, mlcdailynews[.]com, functions as an active SCANBOX server. The C2 servers contained both logs and malware.
  • Analysis of logs from the three servers revealed:
    • Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
    • Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
  • The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .

Compromises of Cambodian Election Entities

Analysis of command and control logs on the servers revealed compromises of multiple Cambodian entities, primarily those relating to the upcoming July 2018 elections. In addition, a separate spear phishing email analyzed by FireEye indicates concurrent targeting of opposition figures within Cambodia by TEMP.Periscope.

Analysis indicated that the following Cambodian government organizations and individuals were compromised by TEMP.Periscope:

  • National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, Ministry of Economics and Finance
  • Member of Parliament representing Cambodia National Rescue Party
  • Multiple Cambodians advocating human rights and democracy who have written critically of the current ruling party
  • Two Cambodian diplomats serving overseas
  • Multiple Cambodian media entities

TEMP.Periscope sent a spear phish with AIRBREAK malware to Monovithya Kem, Deputy Director-General, Public Affairs, Cambodia National Rescue Party (CNRP), and the daughter of (imprisoned) Cambodian opposition party leader Kem Sokha (Figure 2). The decoy document purports to come from LICADHO (a non-governmental organization [NGO] in Cambodia established in 1992 to promote human rights). This sample leveraged scsnewstoday[.]com for C2.


Figure 2: Human right protection survey lure

The decoy document "Interview Questions.docx" (MD5: ba1e5b539c3ae21c756c48a8b5281b7e) is tied to AIRBREAK downloaders of the same name. The questions reference the opposition Cambodian National Rescue Party, human rights, and the election (Figure 3).


Figure 3: Interview questions decoy

Infrastructure Also Used for Operations Against Private Companies

The aforementioned malicious infrastructure was also used against private companies in Asia, Europe and North America. These companies are in a wide range of industries, including academics, aviation, chemical, maritime, and technology. A MURKYTOP sample from 2017 and data contained in a file linked to chemscalere[.]com suggest that a corporation involved in the U.S. defense industrial base (DIB) industry, possibly related to maritime research, was compromised. Many of these compromises are in line with TEMP.Periscope’s previous activity targeting maritime and defense industries. However, we also uncovered the compromise of a European chemical company with a presence in Asia, demonstrating that this group is a threat to business worldwide, particularly those with ties to Asia.

AIRBREAK Downloaders and Droppers Reveal Lure Indicators

Filenames for AIRBREAK downloaders found on the open indexed sites also suggest the ongoing targeting of interests associated with Asian geopolitics. In addition, analysis of AIRBREAK downloader sites revealed a related server that underscores TEMP.Periscope's interest in Cambodian politics.

The AIRBREAK downloaders in Table 1 redirect intended victims to the indicated sites to display a legitimate decoy document while downloading an AIRBREAK payload from one of the identified C2s. Of note, the hosting site for the legitimate documents was not compromised. An additional C2 domain, partyforumseasia[.]com, was identified as the callback for an AIRBREAK downloader referencing the Cambodian National Rescue Party.

Redirect Site (Not Malicious)

AIRBREAK Downloader

AIRBREAK C2

en.freshnewsasia.com/index.php/en/8623-2018-04-26-10-12-46.html

TOP_NEWS_Japan_to_Support_the_Election.js

(3c51c89078139337c2c92e084bb0904c) [Figure 4]

chemscalere[.]com

iric.gov.kh/LICADHO/Interview-Questions.pdf

[pdf]Interview-Questions.pdf.js

(e413b45a04bf5f812912772f4a14650f)

iric.gov.kh/LICADHO/Interview-Questions.pdf

[docx]Interview-Questions.docx.js

(cf027a4829c9364d40dcab3f14c1f6b7)

unknown

Interview_Questions.docx.js

(c8fdd2b2ddec970fa69272fdf5ee86cc)

scsnewstoday[.]com

atimes.com/article/philippines-draws-three-hard-new-lines-on-china/

Philippines-draws-three-hard-new-lines-on-china .js

(5d6ad552f1d1b5cfe99ddb0e2bb51fd7)

mlcdailynews[.]com

facebook.com/CNR.Movement/videos/190313618267633/

CNR.Movement.mp4.js

(217d40ccd91160c152e5fce0143b16ef)

Partyforumseasia[.]com

 

Table 1: AIRBREAK downloaders


Figure 4: Decoy document associated with AIRBREAK downloader file TOP_NEWS_Japan_to_Support_the_Election.js

SCANBOX Activity Gives Hints to Future Operations

The active SCANBOX server, mlcdailynews[.]com, is hosting articles related to the current Cambodian campaign and broader operations. Articles found on the server indicate targeting of those with interests in U.S.-East Asia geopolitics, Russia and NATO affairs. Victims are likely either brought to the SCANBOX server via strategic website compromise or malicious links in targeted emails with the article presented as decoy material. The articles come from open-source reporting readily available online. Figure 5 is a SCANBOX welcome page and Table 2 is a list of the articles found on the server.


Figure 5: SCANBOX welcome page

Copied Article Topic

Article Source (Not Compromised)

Leaders confident yet nervous

Khmer Times

Mahathir_ 'We want to be friendly with China

PM urges voters to support CPP for peace

CPP determined to maintain Kingdom's peace and development

Bun Chhay's wife dies at 60

Crackdown planned on boycott callers

Further floods coming to Kingdom

Kem Sokha again denied bail

PM vows to stay on as premier to quash traitors

Iran_ Don't trust Trump

Fresh News

Kim-Trump summit_ Singapore's role

Trump's North Korea summit may bring peace declaration - but at a cost

Reuters

U.S. pushes NATO to ready more forces to deter Russian threat

us-nato-russia_us-pushes-nato-to-ready-more-forces-to-deter-russian-threat

Interior Minister Sar Kheng warns of dirty tricks

Phnom Penh Post

Another player to enter market for cashless pay

Donald Trump says he has 'absolute right' to pardon himself but he's done nothing wrong - Donald Trump's America

ABC News

China-funded national road inaugurated in Cambodia

The Cambodia Daily

Kim and Trump in first summit session in Singapore

Asia Times

U.S. to suspend military exercises with South Korea, Trump says

U.S. News

Rainsy defamed the King_ Hun Sen

BREAKING NEWS

cambodia-opposition-leader-denied-bail-again-in-treason-case

Associated Press

Table 2: SCANBOX articles copied to server

TEMP.Periscope Malware Suite

Analysis of the malware inventory contained on the three servers found a classic suite of TEMP.Periscope payloads, including the signature AIRBREAK, MURKYTOP, and HOMEFRY. In addition, FireEye’s analysis identified new tools, EVILTECH and DADBOD (Table 3).

Malware

Function

Details

EVILTECH

Backdoor

  • EVILTECH is a JavaScript sample that implements a simple RAT with support for uploading, downloading, and running arbitrary JavaScript.
  • During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.

DADBOD

Credential Theft

  • DADBOD is a tool used to steal user cookies.
  • Analysis of this malware is still ongoing.

Table 3: New additions to the TEMP.Periscope malware suite

Data from Logs Strengthens Attribution to China

Our analysis of the servers and surrounding data in this latest campaign bolsters our previous assessment that TEMP.Periscope is likely Chinese in origin. Data from a control panel access log indicates that operators are based in China and are operating on computers with Chinese language settings.

A log on the server revealed IP addresses that had been used to log in to the software used to communicate with malware on victim machines. One of the IP addresses, 112.66.188.28, is located in Hainan, China. Other addresses belong to virtual private servers, but artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.

Outlook and Implications

The activity uncovered here offers new insight into TEMP.Periscope’s activity. We were previously aware of this actor’s interest in maritime affairs, but this compromise gives additional indications that it will target the political system of strategically important countries. Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections.

The targeting of the election commission is particularly significant, given the critical role it plays in facilitating voting. There is not yet enough information to determine why the organization was compromised – simply gathering intelligence or as part of a more complex operation. Regardless, this incident is the most recent example of aggressive nation-state intelligence collection on election processes worldwide.

We expect TEMP.Periscope to continue targeting a wide range of government and military agencies, international organizations, and private industry. However focused this group may be on maritime issues, several incidents underscore their broad reach, which has included European firms doing business in Southeast Asia and the internal affairs of littoral nations. FireEye expects TEMP.Periscope will remain a virulent threat for those operating in the area for the foreseeable future.

Military Reaper Drone Documents Leaked on the Dark Web

Insikt Group

Scope Note: Initial analysis into the leak of sensitive military information regarding the MQ-9 Reaper unmanned aerial vehicle was initiated as the result of analysts monitoring criminal activity on deep and dark web forums and marketplaces. Direct threat actor interaction allowed Insikt Group analysts to discover other leaked military information available from the same threat actor. Once identified, searches in Recorded Future revealed the extent of the actor’s activities.

Executive Summary

On June 1, 2018, while monitoring criminal actor activities on the deep and dark web, Recorded Future’s Insikt Group identified an attempted sale of what we believe to be highly sensitive U.S. Air Force documents. Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV). Insikt analysts engaged the hacker and confirmed the validity of the compromised documents. Insikt Group identified the name and country of residence of an actor associated with a group we believe to be responsible. This analysis is available to our customers via Insikt’s blog. We continue to assist law enforcement in their investigation.

Key Judgements

  • Recorded Future identified a newly registered member of a hacking forum attempting to sell highly sensitive documents about the U.S. military MQ-9 Reaper drone.
  • Following the first incident, the threat actor acknowledged another breach involving a large number of military documents from an unidentified officer.
  • The documents contained a second dataset including the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics.
  • Insikt Group analysts learned that the attacker used a widely known tactic of gaining access to vulnerable Netgear routers with improperly setup FTP login credentials.

Recorded Future Timeline of Actor Activity

Actor’s activity timeline in Recorded Future.

Background

Manufactured by General Atomics, the MQ-9 Reaper is regarded as one of the most advanced and lethal military technology commissioned in the past two decades. According to open sources, Reaper was first introduced in 2001 and is currently used by the U.S. Air Force, the U.S. Navy, the CIA, U.S. Customs and Border Protection, NASA, and the militaries of several other countries.

In 2006, then Chief of Staff of the United States Air Force General T. Michael Moseley said, “We’ve moved from using UAVs primarily in intelligence, surveillance, and reconnaissance roles before Operation Iraqi Freedom, to a true hunter-killer role with the Reaper.”

Reaper Maintenance Training Documents

Reaper maintenance training documents stolen by the hacker.

Threat Analysis

It is not uncommon to uncover sensitive data like personally identifiable information (PII), login credentials, financial information, and medical records being offered for sale on the dark web. However, it is incredibly rare for criminal hackers to steal and then attempt to sell military documents on an open market.

Original Advertisement on Dark Web

Original advertisement posted on the dark web.

In the weeks following the initial advertisement, Insikt Group analysts established and maintained direct contact with the hacker, learning that a previously disclosed FTP vulnerability in Netgear routers was exploited to gain access. Utilizing Shodan’s popular search engine, the actors scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines.

Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.

The captain whose computer was compromised recently completed the Cyber Awareness Challenge and should have been aware of the required actions to prevent unauthorized access. In this case, setting the FTP password.

Certificate of Completion

The Cyber Awareness Challenge certificate of completion.

Following his advertisement for the Reaper drone documents, the threat actor put yet another set of military documents up for sale. Unfortunately, this time the source was never disclosed to Recorded Future. However, judging by the content, they appear to be stolen from the Pentagon or from a U.S. Army official. More than a dozen various training manuals describe improvised explosive device defeat tactics, an M1 ABRAMS tank operation manual, a crewman training and survival manual, and tank platoon tactics. As with the previous documents, none represent classified materials, although most can be distributed to U.S. government agencies and their contractors only.

Convoy Risk Mitigation Procedures

Convoy risk mitigation procedures described in the IED manual.

During the Insikt Group analyst’s engagement with the actor, he professed that on days he was not hunting for his next victim, he entertained himself by watching sensitive live footage from border surveillance cameras and airplanes. The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico.

Aircraft Video Footage Screenshot

Screenshot of the aircraft video footage showcased by the hacker.

Technical Analysis

In early 2016, several security researchers publicly announced that Netgear routers with remote data access capabilities were susceptible to malicious attacks if the default FTP authentication credentials were not updated. Despite it being two years since the vulnerability was first acknowledged, the problem remains widespread. During our recent research, Recorded Future identified more than 4,000 routers susceptible to the attack.

Shodan Scan Results

Shodan scan results with more than 4,000 potentially vulnerable systems identified.

As Netgear previously reported, the steps described below are sufficient to protect the device from malicious attacks.

  1. Launch an internet browser from a computer or wireless device that is connected to the network.
  2. Type in http://www.routerlogin.net or http://www.routerlogin.com. A login screen will display.
  3. The user name is admin. The default password is password. However, to prevent unauthorized access, make sure to update the password by using a random combination of letters, numbers, and symbols. The user name and password are case sensitive.
  4. Select ADVANCED > USB Functions > ReadySHARE Storage.
  5. Select FTP.
  6. Click Apply.

Netgear FTP Credentials Setup Process

Netgear FTP credentials setup process.

Outlook

As current compromises have shown, even those who should be adept to common security hygiene practices are not immune to rudimentary attacks, resulting in incidents with dire consequences. Although private industries have really stepped up their security efforts in recent years, investing heavily both in the infrastructure and workforce education, the government is consistently lagging behind when it comes to the security training of its employees and protection of state secrets. Sadly, very few understand the importance of properly securing wireless access points (WAP), and even fewer use strong passwords and understand how to spot phishing emails.

The military response teams will determine the exact ramifications of both breaches. However, the fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.

The post Military Reaper Drone Documents Leaked on the Dark Web appeared first on Recorded Future.

     

SN 671: STARTTLS Everywhere

This week we discuss another worrisome trend in malware, another fitness tracking mapping incident and mistake, something to warn our friends and family to ignore, the value of periodically auditing previously-granted web app permissions, when malware gets picky about the machines it infects, another kinda-well-meaning Coinhive service gets abused, what are the implications of D-Link losing control of its code signing cert?, some good news about Android apps, iOS v11.4.1 introduces "USB Restricted Mode"... but is it?, a public service reminder about the need to wipe old thumb drives and memory cards, what about those free USB fans that were handed out at the recent North Korea / US summit?... and then we take a look at eMail's STARTTLS system and the EFF's latest initiative to increase its usefulness and security.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.

Sponsors:

BolehVPN review: A capable service that’s not for novices

BolehVPN in brief:

  • P2P allowed: Yes
  • Business location: Malaysia and Seychelles
  • Number of servers: 35
  • Number of country locations: 12
  • Cost: $80 per year
  • VPN protocol: OpenVPN and L2TP
  • Data encryption: AES-256
  • Data authentication: SHA2
  • Handshake encryption: RSA-4096

Many VPNs right now are trying to be as user friendly as possible with a simple connect button and a simplified list of server locations. Not so with BolehVPN. This Malaysia-based VPN is not focused on ease of use, but at the same time there may not be quite enough here to satisfy power users.

To read this article in full, please click here

Macy’s, Bloomingdales Alert Online Customers of Data Breach

Macy’s is notifying customers of a data breach involving unauthorized access to their payment card data and personal information. In a notice sent to affected customers, Macy’s said it first detected suspicious login activity from certain Macys.com accounts on June 11, 2018. “Based on our investigation, we believe that an unauthorized third-party – from approximately […]… Read More

The post Macy’s, Bloomingdales Alert Online Customers of Data Breach appeared first on The State of Security.

CVE-2018-3667

Installation tool IPDT (Intel Processor Diagnostic Tool) 4.1.0.24 sets permissions of installed files incorrectly, allowing for execution of arbitrary code and potential privilege escalation.

CVE-2018-3693 (atom_c, atom_e, atom_x3, atom_z, celeron_j, celeron_n, core_i3, core_i5, core_i7, core_m, core_m3, core_m5, core_m7, cortex-a, cortex-r, pentium_j, pentium_n, xeon, xeon_bronze, xeon_e3, xeon_e5, xeon_e7, xeon_gold, xeon_phi, xeon_platinum, xeon_silver)

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.

CVE-2018-3652

Existing UEFI setting restrictions for DCI (Direct Connect Interface) in 5th and 6th generation Intel Xeon Processor E3 Family, Intel Xeon Scalable processors, and Intel Xeon Processor D Family allows a limited physical presence attacker to potentially access platform secrets via debug interfaces.

CVE-2018-3629

Buffer overflow in event handler in Intel Active Management Technology in Intel Converged Security Manageability Engine Firmware 3.x, 4.x, 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, and 11.x may allow an attacker to cause a denial of service via the same subnet.

CVE-2017-5704

Platform sample code firmware included with 4th Gen Intel Core Processor, 5th Gen Intel Core Processor, 6th Gen Intel Core Processor, and 7th Gen Intel Core Processor potentially exposes password information in memory to a local attacker with administrative privileges.

CVE-2018-3619

Information disclosure vulnerability in storage media in systems with Intel Optane memory module with Whole Disk Encryption may allow an attacker to recover data via physical access.

CVE-2018-3632

Memory corruption in Intel Active Management Technology in Intel Converged Security Manageability Engine Firmware 6.x / 7.x / 8.x / 9.x / 10.x / 11.0 / 11.5 / 11.6 / 11.7 / 11.10 / 11.20 could be triggered by an attacker with local administrator permission on the system.

CVE-2018-3628

Buffer overflow in HTTP handler in Intel Active Management Technology in Intel Converged Security Manageability Engine Firmware 3.x, 4.x, 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, and 11.x may allow an attacker to execute arbitrary code via the same subnet.

Fitness apps: Good for your health, not so much for military security

Fitness apps are proving to be a lot less beneficial to military security than they are for military fitness. That after researchers in the Netherlands discovered that data from the Polar fitness app revealed the homes and habits of those exercising in clandestine locations around the world, including intelligence agencies, military bases, nuclear...

Read the whole entry... »

Related Stories

The Paradox – Business Security Weekly #91

This week, Michael and Paul talk how to get the upper hand in any offer, experts needing to get better at telling stories, why companies need to build a skills inventory, and more! In our feature interview, CSO of Cisco Edna Conway makes her return on Business Security Weekly to sit down with Paul to discuss Intellectual Property! All that and more on this episode of Business Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/BSWEpisode91

 

Visit https://www.securityweekly.com/bsw for all the latest episodes!

 

Visit https://www.activecountermeasures/bsw to sign up for a demo or buy our AI Hunter!!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

VERT Threat Alert: July 2018 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s July 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-786 on Wednesday, July 11th. In-The-Wild & Disclosed CVEs CVE-2018-8278 Microsoft Edge is vulnerable to a spoofing vulnerability that could allow an attacker to design a malicious fake website that appears to be […]… Read More

The post VERT Threat Alert: July 2018 Patch Tuesday Analysis appeared first on The State of Security.

CVE-2018-13863

The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.

Ubuntu Security Notice USN-3705-2

Ubuntu Security Notice 3705-2 - USN-3705-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, bypass same-origin restrictions, bypass CORS restrictions, bypass CSRF protections, obtain sensitive information, or execute arbitrary code. A security issue was discovered with WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit this to obtain full browser permissions. Various other issues were also addressed.

CVE-2018-10872

A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, processor does not deliver interrupts and exceptions, they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in DoS. This CVE-2018-10872 was assigned due to regression of CVE-2018-8897 in Red Hat Enterprise Linux 6.10 GA kernel. No other versions are affected by this CVE.

CVE-2018-1116

A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure.

Microsoft Releases July 2018 Security Updates

Original release date: July 10, 2018

Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review Microsoft’s July 2018 Security Update Summary and Deployment Information and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


USB Accessory Can Defeat iOS’s New “USB Restricted Mode” Security Feature

With the release of iOS 11.4.1, Apple has finally rolled out a new security feature designed to protect your devices against USB accessories that connect to the data port, making it harder for law enforcement and hackers to break into your iPhone or iPad without your permission. Dubbed USB Restricted Mode, the feature automatically disables data connection capabilities of the Lightning port on

Microsoft Releases Patch Updates for 53 Vulnerabilities In Its Software

It's time to gear up your systems and software for the latest July 2018 Microsoft security patch updates. Microsoft today released security patch updates for 53 vulnerabilities, affecting Windows, Internet Explorer (IE), Edge, ChakraCore, .NET Framework, ASP.NET, PowerShell, Visual Studio, and Microsoft Office and Office Services, and Adobe Flash Player. Out of 53 vulnerabilities, 17 are

Cisco NX-OS Software Authenticated Simple Network Management Protocol Denial of Service Vulnerability

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly.

The vulnerability is due to improper validation of SNMP protocol data units (PDUs) in SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device. A successful exploit could allow the attacker to cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxossnmp

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0291

CVE-2018-2435

SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

CVE-2018-2439

The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, has insufficient request validation (for example, where the request is validated for authenticity and validity) and under certain conditions, will process invalid requests. Several areas of the SAP Internet Graphics Server (IGS) did not require sufficient input validation. Namely, the SAP Internet Graphics Server (IGS) HTTP and RFC listener, SAP Internet Graphics Server (IGS) portwatcher when registering a portwatcher to the multiplexer and the SAP Internet Graphics Server (IGS) multiplexer had insufficient input validation and thus allowing a malformed data packet to cause a crash.

CVE-2018-2438

The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, has several denial-of-service vulnerabilities that allow an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.

CVE-2018-2440

Under certain circumstances SAP Dynamic Authorization Management (DAM) by NextLabs (Java Policy Controller versions 7.7 and 8.5) exposes sensitive information in the application logs.

CVE-2018-2437

The SAP Internet Graphics Service (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to externally trigger IGS command executions which can lead to: disclosure of information and malicious file insertion or modification.

CVE-2018-2431

SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

CVE-2018-2432

SAP BusinessObjects Business Intelligence (BI Launchpad and Central Management Console) versions 4.10, 4.20 and 4.30 allow an attacker to include invalidated data in the HTTP response header sent to a Web user. Successful exploitation of this vulnerability may lead to advanced attacks, including: cross-site scripting and page hijacking.

CVE-2018-2433

SAP Gateway (SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.53) allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.

CVE-2018-2434

A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP NetWeaver 7.00 Implementation, SAP User Interface Technology (SAP_UI 7.4, 7.5, 7.51, 7.52). There is little impact as it is not possible to embed active contents such as JavaScript or hyperlinks.

CVE-2018-2427

SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.

CVE-2018-10890

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories.

CVE-2018-10891

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.

CVE-2018-13850

The "Firebase Cloud Messaging (FCM) + Advance Admin Panel" component supporting Firebase Push Notification on iOS (through 2017-10-26) allows SQL injection via the /advance_push/public/login username parameter.

CVE-2018-10889

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester.

Vulnerability Spotlight: Multiple Antenna House Vulnerabilities

Discovered by Marcin Noga of Cisco Talos

Overview

Cisco Talos has identified six vulnerabilities in the Antenna House Office Server Document Converter (OSDC). These vulnerabilities can be used to remotely execute code on a vulnerable system. Antenna House Office Server Document Converter is a product designed to convert Microsoft Office documents into PDF and SVG documents.

The vulnerabilities can be exploited to locally execute code, or even remotely if the product is used in batch mode by the owners. In this context, the maliciously crafted document could be automatically handled by the product, and a successful exploitation could result in full control of the vulnerable system.

The six vulnerabilities can be exploited by a specially crafted Microsoft Office document.

Details

TALOS-2018-0596 (CVE-2018-3929): Antenna House Office Server Document Converter OLEread Code Execution Vulnerability

This vulnerability is located in the conversion process of a PowerPoint (.ppt) to a PDF, JPEG, and other file formats. A specially crafted .ppt file can lead to heap corruption and remote code execution.

More details can be found in the vulnerability report:
TALOS-2018-0596

TALOS-2018-0597 (CVE-2018-3930): Antenna House Office Server Document Converter vbgetfp Code Execution vulnerability

This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to a PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to heap corruption and remote code execution.

More details can be found in the vulnerability report:
TALOS-2018-0597

TALOS-2018-0598 (CVE-2018-3931): Antenna House Office Server Document Converter putShapeProperty Code Execution Vulnerability

This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to a PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution.

More details can be found in the vulnerability report:
TALOS-2018-0598

TALOS-2018-0599 (CVE-2018-3932): Antenna House Office Server Document Converter putlsttbl Code Execution Vulnerability

This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution.

More details can be found in the vulnerability report:
TALOS-2018-0599

TALOS-2018-0600 (CVE-2018-3933): Antenna House Office Server Document Converter vbputanld Code Execution Vulnerability

This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to PDF, JPEG and other formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution..

More details can be found in the vulnerability report:
TALOS-2018-0600

TALOS-2018-0603 (CVE-2018-3936): Antenna House Office Server Document Converter GetShapePropery 0x105 Code Execution Vulnerability

An exploitable out-of-bounds write exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the `GetShapePropery` method.

More details can be found in the vulnerability report:
TALOS-2018-0603

Tested Versions:

Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312)


Coverage

The following Snort rules will detect exploitation attempts. Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Snort Rules: 46843, 46844, 46845, 46946, 46768, 46769, 46761, 46762

IDG Contributor Network: Legalizing online sports betting means a new need for security

On May 14, 2018, the Supreme Court of the United States (SCOTUS) ruled in favor of New Jersey’s case to repeal the Professional and Amateur Sports Protection Act (PASPA), thereby paving the way towards legalizing online sports betting in the U.S. PASPA prohibited all states other than those with existing legislation—Nevada, Oregon, Delaware, and Montana—from legalizing online sports betting.

The big business of online sports betting

It comes as no surprise that sports gambling is big business. In 2017, Nevada’s Gaming Control board reported a $4.8 billion bet at its sportsbooks. This was a new record high, but legal betting is just the beginning of the story. No one has a definitive number for how much money is bet illicitly. For example, the research firm, Eilers & Krejcik Gaming, projects that this number could fall between $50 billion and $60 billion.

To read this article in full, please click here

Reality and the Espionage Act

Reality Winner 50%


Reality Winner, the first whistleblower prosecuted by the Trump administration for leaking information to the press, will spend five years in prison as punishment for making officials and the public aware of vulnerabilities in election infrastructure. This unusually long sentence breaks with precedent, and is representative of the government’s increasing willingness to use the Espionage Act to punish and imprison whistleblowers and chill journalism.

On June 3, 2017, FBI agents raided Winner's home in Georgia. Federal prosecutors suspected that Winner, an intelligence contractor who worked with the NSA, had shared classified information with journalists, and obtained a search warrant to search her house and seize her electronic devices. After the FBI agents finished searching her home, they began chatting with her, casually at first, in what eventually turned into a interrogation that ended with her arrest. Winner later said that the FBI agents never told her that she had the right to remain silent or speak with an attorney.

Two days later, The Intercept published a partially-redacted version of a classified NSA document, which concluded that hackers they believe were working with Russian military intelligence had tried to penetrate states’ election systems during the 2016 election. On June 8, Winner was formally arraigned on one charge of violating 18 U.S.C. § 793(e), a provision of the Espionage Act.

Passed in 1917, the Espionage Act was originally intended to be used against foreign spies and saboteurs during World War I. But almost immediately after the Espionage Act was enacted, it was used to prosecute anti-war activists, including socialist presidential candidate Eugene Debs. The Supreme Court shamefully upheld the convictions of anti-war protesters in a series of unanimous decisions in 1919.

In 1971, Daniel Ellsberg leaked the Pentagon Papers — a classified history of the Vietnam War, which revealed that the government had repeatedly lied to the American people — to reporters at The New York Times and Washington Post. While the Supreme Court ruled that the government could not stop the papers from publishing articles about the documents, the Nixon administration retaliated against Ellsberg by charging him under the Espionage Act. Ultimately his case was thrown out for government misconduct. He was the first person to be prosecuted under the law for giving information to journalists, but he would not be the last.

During the Obama administration, the Department of Justice prosecuted at least eight people for sharing classified information with journalists. Most of the Espionage Act cases brought by Obama’s Justice Department never made it to trial, and instead, defendants were forced to take a plea deal. That’s partly because it’s next to impossible to mount an effective defense against an Espionage Act charge.

The Espionage Act simply prohibits the unauthorized disclosure of information related to the national defense — a broad category that includes information about controversial government programs, as well as true military secrets like the nuclear codes.

Defendants charged with violating the law cannot present an argument that the leak was justified or in the public interest. To convict you under the Espionage Act, federal prosecutors don't need to prove that your leak actually put anyone in danger. All they need to prove is that defendants knew the information was "related to national defense” when they gave it to journalists.

The federal government’s classification system is governed through executive orders, which give executive branch agencies the ability to designate certain information as “confidential,” “secret,” and “top-secret” if they determine that the disclosure of the information could potentially harm national security. Since the executive branch is (at least in theory) only allowed to classify information that it believes could harm national security, all classified information is assumed to be potentially dangerous to national security — even though we know this system is regularly and systematic abused to hide controversial, embarrassing, corrupt, or illegal activity.

This is circular logic — classified information must be dangerous, because if it weren’t dangerous, it wouldn’t be classified — means that the government can argue that leaking any classified information is functionally equivalent to leaking information that you know can harm the United States.

Winner wanted to challenge this assumption that all classified information is potentially dangerous. Court filings show that her attorneys planned to argue that the NSA report on Russian hacking attempts that Winner allegedly leaked had been over-classified, and the government’s claims that the release of the document would cause “exceptionally grave damage” were without merit.

Her attorneys tried to subpoenaed a wide array of intelligence agencies, hoping to show that the information Winner allegedly leaked about Russian hacking attempts was less of a state secret and more of an open secret within the government.

They also planned to enlist an expert witness — Bill Leonard, the former head of the Information Security Oversight Office, responsible for overseeing the federal government’s entire classification system — to testify about the government’s over-classification problem.

But Winner’s case once again proved it’s hard, if not impossible, to fight an Espionage Act prosecution. A judge denied all of Winner’s attempts to subpoena government agencies and imposed draconian security precautions on her attorneys, which prohibited them from discussing Winner’s case on unsecured phone lines and conducting Google searches for information about the document Winner allegedly leaked.

Meanwhile, Winner was held in a small county jail without bail for more than a year, after prosecutors convinced a judge that Winner was a flight risk because she had criticized the United States and could speak multiple foreign languages.

Winner’s treatment was harsh even by the standard of other Espionage Act prosecutions. Others charged with leaking classified information —like Jeffrey Sterling, Stephen Kim, and John Kiriakou—were released on bond.

Finally, on June 26, 2018, after over a year of fighting the case, Winner pleaded guilty to one count of violating the Espionage Act. According to the terms of her plea deal, Winner will serve 63 months in prison, followed by three years of supervised release.

“The use of the Espionage charge prevents a person from defending themselves or explaining their actions to a jury, thus making it difficult for them to receive a fair trial and treatment in the court system," Winner’s mother, Billie Winner-Davis, said in a statement. "I do believe that whatever [Reality] did or did not do she acted with good intentions. ... We need to work toward reforming laws so that the Espionage Act is not leveraged against our citizens."

Winner’s sentence is hardly lenient. She was a first-time offender, only accused of leaking one document. She was charged with a single count of violating 18 U.S.C. § 793(e), a section of the Espionage Act that carries a maximum sentence of 10 years. Winner’s sentence is the longest sentence that a leaker has ever received in federal court. (Chelsea Manning, who was originally sentenced to 35 years in prison and later had her sentence commuted by President Obama after 7 years, was convicted at a military court-martial.)

Winner’s only crime, literally, was to share information with journalists and the American people about a foreign government’s attempt to hack U.S. voting systems. State election boards reportedly appreciated Winner’s leak, which gave them the information needed to investigate Russian hacking attempts and better secure their electronic voting infrastructure.

But the federal government treated Winner as though she were a spy. Federal prosecutors charged her with violating an anti-espionage statute that is more than a century old, while arguing that she had to remain detained without bail until trial because she had no loyalty to the United States.

The Department of Justice’s increasing use of the Espionage Act against people who share information with journalists is shameful. A country that claims to value the freedom of the press should not imprison people for speaking to journalists.

Microsoft Patch Tuesday – July 2018

Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.

In addition to the 53 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180017, which addresses the vulnerabilities described in the Adobe security bulletin APSB18-24.

Critical vulnerabilities


This month, Microsoft is addressing 17 vulnerabilities that are rated as critical:


CVE-2018-8242 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8262 - Microsoft Edge Memory Corruption Vulnerability
CVE-2018-8274 - Microsoft Edge Memory Corruption Vulnerability
CVE-2018-8275 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8279 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8280 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8283 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8286 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8288 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8290 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8291 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8294 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8296 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8298 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8301 - Microsoft Edge Memory Corruption Vulnerability
CVE-2018-8324 - Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8327 - PowerShell Editor Services Remote Code Execution Vulnerability

Important vulnerabilities


This month, Microsoft is addressing 34 vulnerabilities that are rated as important.


CVE-2018-0949 - Internet Explorer Security Feature Bypass Vulnerability
CVE-2018-8125 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8171 - ASP.NET Core Security Feature Bypass Vulnerability
CVE-2018-8172 - Visual Studio Remote Code Execution Vulnerability
CVE-2018-8202 - .NET Framework Elevation of Privilege Vulnerability
CVE-2018-8206 - Windows FTP Server Denial of Service Vulnerability
CVE-2018-8222 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-8238 - Skype for Business and Lync Security Feature Bypass Vulnerability
CVE-2018-8260 - .NET Framework Remote Code Execution Vulnerability
CVE-2018-8276 - Scripting Engine Security Feature Bypass Vulnerability
CVE-2018-8278 - Microsoft Edge Spoofing Vulnerability
CVE-2018-8281 - Microsoft Office Remote Code Execution Vulnerability
CVE-2018-8282 - Win32k Elevation of Privilege Vulnerability
CVE-2018-8284 - .NET Framework Remote Code Injection Vulnerability
CVE-2018-8287 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8289 - Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8297 - Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8299 - Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8300 - Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2018-8304 - Windows DNSAPI Denial of Service Vulnerability
CVE-2018-8305 - Windows Mail Client Information Disclosure Vulnerability
CVE-2018-8306 - Microsoft Wireless Display Adapter Command Injection Vulnerability
CVE-2018-8307 - WordPad Security Feature Bypass Vulnerability
CVE-2018-8308 - Windows Kernel Elevation of Privilege Vulnerability
CVE-2018-8309 - Windows Denial of Service Vulnerability
CVE-2018-8311 - Remote Code Execution Vulnerability in Skype For Business and Lync
CVE-2018-8312 - Microsoft Access Remote Code Execution Use After Free Vulnerability
CVE-2018-8313 - Windows Elevation of Privilege Vulnerability
CVE-2018-8314 - Windows Elevation of Privilege Vulnerability
CVE-2018-8319 - MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability
CVE-2018-8323 - Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8325 - Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8326 - Open Source Customization for Active Directory Federation Services XSS Vulnerability
CVE-2018-8356 - .NET Framework Security Feature Bypass Vulnerability

Coverage



In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

47111-47112
47109-47110
47102-47103
47091-47092
47113-47114
47107-47108
47100-47101
47098-47099
47096-47097

Former NSO employee attempts to sell stolen hacking tool on Dark web

NSO is an Israeli cybersecurity contractor and software developer that specialises in helping governments to monitor enemies using spyware technology. Recently, a former employee whose name is currently being kept hidden by the authorities allegedly stole NSO’s cyber technology, spying tools and software, with the intention of selling them on the dark web for $50 million and that could harm state security, Israel’s Justice Ministry said.

The staff member stole Pegasus spyware code and attempted to sell it.

The 38-year-old senior programmer was fired due to suspicion of stealing valuable data from the company. Upon investigation it was found that he had a hard drive with company’s servers and proprietary tools stored on it, a ministry statement said on July 5. It was found under his bed when the authorities raided his house.

The company is very strict regarding their data policy because many of their technologies are sensitive such as the Pegasus software that is driven with SMS technology and can extract Whatsapp data, messages, social media data and even gain control of a smartphone’s camera to spy on the user.

The ministry said the accused, who was hired in November 2017, was called in for a hearing by NSO on 29 April before his dismissal, after which he downloaded software and information worth hundreds of millions of dollars.

NSO Group, in the same manner as many cybersecurity firms, had protections in place to prevent the external transfer of its intellectual property and software. The employee's role permitted him access to the firm's servers, tools, and source code, but he was still restricted in the same way.

The hackers attempt to steal the data and sell it to the dark web in exchange for cryptocurrency backfired because the buyer himself tipped off NSO. He was apprehended by the Lahav 433 serious crime unit and the stolen data wasn’t sold. The statement did not identify the person who contacted the former NSO employee.

Vulnerability Spotlight: Multiple Adobe Acrobat DC Remote Code Execution Vulnerabilties


Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Today, Talos is releasing details of new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities.

TALOS-2018-0569 - Adobe Acrobat Reader DC Collab.drivers Remote Code Execution Vulnerability (CVE-2018-12812)



A specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

TALOS-2018-0590 - Adobe Acrobat Reader DC Collab newWrStreamToCosObj Remote Code Execution Vulnerability (CVE-2018-12756)

A specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

TALOS-2018-0592 - Adobe Acrobat Reader DC JSON Stringify Remote Code Execution Vulnerability (CVE-2018-12815)

A specific JavaScript code embedded in a PDF file can lead to a use-after-free condition when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

Known vulnerable versions

Adobe Acrobat Reader DC 2018.011.20038

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 46292-46293, 46550-46551, 46634-46635

CVE-2018-1331

In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.

Adobe Releases Security Patch Updates For 112 Vulnerabilities

Adobe has released security patches for a total 112 vulnerabilities in its products, most of which have a higher risk of being exploited. The vulnerabilities addressed in this month's patch Tuesday affect Adobe Flash Player, Adobe Experience Manager, Adobe Connect, Adobe Acrobat, and Reader. None of the security vulnerabilities patched this month were either publicly disclosed or found being

Episode 103: On the Voice-Controlled Internet, How Will We Authenticate?

Voice based interfaces are growing in popularity, complexity and influence. But securing these interfaces has, thus far, been an afterthought. If we are destined to interact with the smart systems around us using our voice, how exactly will we manage to authenticate to those devices? In this podcast we speak with Ben Rafferty of the firm Semafone...

Read the whole entry... »

Related Stories

Popular Social Media App Timehop Hit With Huge Data Breach

The Fourth of July is characterized by barbeques, fireworks, and patriotism – and now cyberattacks! Just this past Independence Day, the popular social media app Timehop was hacked – as cybercriminals set their sights on the company’s servers, rather than enjoying hot dogs and sparklers. The attack affects a whopping 21 million Timehop users and has put their personal information at risk of being compromised.

The key ingredient for this attack: multi-factor authentication. Or, lack thereof. Hackers were able to access the company’s cloud servers on July 4th because Timehop had not turned on multi-factor authentication. “The breach occurred because an access credential to our cloud computing environment was compromised,” the company said. Once they obtained the credential to access the servers, the crooks managed to remain inside the system for approximately two hours.

In a company blog post, Timehop stated that the security breach compromised the names and emails of these 21 million users, which is essentially its entire user base. And 4.7 million of those affected users had a phone number that was attached to their account breached in the attack as well. Fortunately, Timehop says that no financial data was compromised in the attack, and all access to social media platforms was deactivated immediately by Timehop, which actually logged all users out of their accounts.

This breach joins the Exactis and Adidas breaches that have occurred in the past week, leaving millions of consumers out there concerned for their personal security. So, what next steps should Timehop users take to ensure they secure their personal information? Start by following these tips:

  • Change up your passwords. With this personal data already in hand, it’s likely cybercriminals are going to take a guess at your password and attempt to get inside your Timehop account. Therefore, make sure you change up your password to Timehop and any other accounts that use the same one.
  • Use two-factor authentication. If this breach has made anything clear, it’s that we cannot rely on passwords that use single-factor authentication to protect our accounts. Learn a lesson from Timehop and always enable two-factor authentication when given the option.
  • Invest in an identity theft monitoring and recovery solution. With the increase in data breaches, people everywhere are facing the possibility of identity theft. That’s precisely why they should leverage a solution tool such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Popular Social Media App Timehop Hit With Huge Data Breach appeared first on McAfee Blogs.

Adobe Releases Security Updates

Original release date: July 10, 2018

Adobe has released security updates to address vulnerabilities in Adobe Acrobat and Reader, Adobe Flash Player, Adobe Connect, and Adobe Experience Manager. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.   

NCCIC encourages users and administrators to review Adobe Security Bulletins APSB18-21, APSB18-24, APSB18-22, and APSB18-23 and apply the necessary updates.

 


This product is provided subject to this Notification and this Privacy & Use policy.


CVE-2017-1738

IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 contains an undisclosed vulnerability that would allow an authenticated user to obtain elevated privileges. IBM X-Force ID: 134919.

CVE-2017-1793

IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137038.

CVE-2017-1791

IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137036.

CVE-2018-1487

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5 and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege users full access to the DB2 instance account by loading a malicious shared library. IBM X-Force ID: 140972.

CVE-2017-1792

IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137037.

CVE-2018-1492

IBM Jazz Foundation products could allow a user with physical access to the system to log in as another user due to the server's failure to properly log out from the previous session. IBM X-Force ID: 140977.

CVE-2017-1729

IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134909.

CVE-2018-1396

IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138429.

CVE-2018-1549

IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 142658.

CVE-2018-1566

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to execute arbitrary code due to a format string error. IBM X-Force ID: 143023.

CVE-2018-1523

IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 141804.

CVE-2018-5553

The Crestron Console service running on DGE-100, DM-DGE-200-C, and TS-1542-C devices with default configuration and running firmware versions 1.3384.00049.001 and lower are vulnerable to command injection that can be used to gain root-level access.

CVE-2018-1458

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10,1, 10.5 and 11.1 could allow a local user to execute arbitrary code and conduct DLL hijacking attacks. IBM X-Force ID: 140209.

Blackhat, BSidesLV and DEF CON Parties 2018

Parties

For real, we’re back once again for the Blackhat, BSidesLV and DEF CON Parties 2018. Here is the list. Please note that this is a work in progress and I’ll be sure to add more as I become aware of them.

Please note that this sched should work fine in most smart phone browsers.

RSVP

Be sure to RSVP for parties listed that note that as the vast majority will not be allowing folks to register at the door. Please note that events which are not searchable, or have not directly requested I post them, will not be included here.

Got a Party?

Most importantly, if I’m missing a 2018 party here, please let me know through our contact us form and I’ll be sure to add them.

Copyright: pressmaster / 123RF Stock Photo

DateParty HostLocationTimeLink
August 7, 2018Risky Biz PartyAlexxa’s Bar7:00 PM – 10:00 PMRSVP
August 7, 2018HackerOneEyecandy Sound Lounge8:00 PM - 11:00 PMRSVP
August 7, 2018A10Libertine Social in Mandalay Bay6:00 PM - 8:00 PMRSVP
August 7, 2018Distil NetworksLight Nightclub at the Mandalay Bay9:00 PM – 12:00 AMRSVP
August 7, 2018Black Hat Social HourAureole5:30 PM - 8:00 PMRSVP
August 8, 2018Duo Security PartyFleur in Mandalay Bay7:00 PM – 9:00 PMRSVP
August 8, 2018Flashpoint PartyLibertine Social in Mandalay Bay7:00 PM – 10:00 PMRSVP
August 8, 2018LevelUPSkyfall Lounge in the Delano8:00 PM - 12:00 AMRSVP
August 8, 2018IOActive IOAsisHouse of Blues10:00 AM – 6:00 PMRSVP
August 8, 2018Cylance Blackhat Partyminus5° Ice Experience9:00 PM – 1:00 AMRSVP
August 8, 2018Rapid7 PartyOMNIA Nightclub, Caesars10:00 PM - 1:00 AMRSVP
August 8, 2018Cisco PartyTopgolf Las Vegas8:00 PM - 11:00 PMRSVP
August 8, 2018Carbon BlackBordergrill in Mandalay Bay7:00 PM – 9:00 PMRSVP
August 8, 2018JASK & DigitalshadowsEyecandy Sound Lounge8:00 PM - 10:00 PMRSVP
August 8, 2018BSidesLV Pool PartyTuscany Suites Pool10:00 PM - 4:00 AMBSidesLV badge required
August 9, 2018Bugcrowd House PartyRockhouse Bar8:00 PM – 12:00 AMRSVP
August 10, 2018IOActive Women, Wisdom, & WineCaesars Palace Suites3:00 PM - 5:00 PMRSVP
August 10, 2018QueerCon Pool PartyPalm’s Palace Pool8:00PM – 3:00AMOpen

The post Blackhat, BSidesLV and DEF CON Parties 2018 appeared first on Liquidmatrix Security Digest.

Chinese arrest 20 in major Crypto Currency Mining scam

According to Chinese-language publication Legal Daily police in two districts of China have arrested 20 people for their roles in a major crypto currency mining operation that earned the criminals more than 15 million yuan (currently about $2M USD).

The hackers installed mining software developed by Dalian Yuping Network Technology Company ( 大连昇平网络科技有限 ) that was designed to steal three types of coins.  Digibyte Coins (DGB, currently valued at USD$0.03 each),  Siacoin (SC, currently valued at $0.01 each) and DeCred coins (DCR coins, currently valued at $59.59 each).

It is believed that these currencies were chosen for the dual reason that they are easier to mine, due to less competition, and that they are less likely to be the target of sophisticated blockchain analysis tools.

The Game Cheat Hacker

The investigation began when Tencent detected the presence of a hidden Trojan horse with silent mining capabilities built into a cheat for a popular first person shooter video game. The plug-in provided a variety of cheats for the game, including "automatic aiming", "bullet acceleration", "bullet tracking" and "item display."  
Tencent referred the case to the Wei'an Municipal Public Security Bureau, who handled the case extremely well.  As they learned more about the trojans, they identified first the social media groups and forums where the trojan was being spread, and traced the identity of the person uploading the trojaned game cheat to a criminal named Yang Mobao. Mobao participated as a forum moderator on a site called the "Tianxia Internet Bar Forum" and members who received the cheat from him there widely shared it in other forums and social media sites, including many file shares on Baidu.
Mobao was popularizing the cheat program by encouraging others to make suggestions for new functionality.  The users who were using the tool did not suspect that they were actually mining crypto-currency while using the cheat.  More than 30,000 victims were using his cheat software and secretly mining crypto-currency for him.
Yang Mobao had a strong relationship with gamers from his business of selling gaming video cards to Internet cafes.  He installed at least 5,774 cards in at least 2,465 Internet cafes across the country, preloading the firmware on the cards to perform mining.  It turns out that these cards ALSO were trojaned!  As a major customer of Dalian Yuping, Moubao was offered a split of the mining proceeds from the cards he installed, earning him more than 268,000 yuan.
Yang is described as a self-taught computer programmer who had previously worked management Internet cafes.  After experiencing some profit from the scheme above, he modified the malware embedded in some of the video cards and installed his own miner, mining the HSR coin and transferring the proceeds to a wallet he controlled.

The Video Card Maker

After Yang Mobao confessed to his crimes, the cybercrime task force sent 50 agents to Dalian, in Liaoning Province.  The Task Force learned that Dalian Yuping Network Technology had been approached by advertisers, who paid them embed advertising software on their video cards, which were then installed in 3.89 million computers, mostly high-end gaming systems installed in video cafes.  The company's owner, He Mou, and the company's Financial Controller, his wife Chen Mou, had instructed the company's head of R&D, Zhang Ning, to investigate mining software and to experiment with various mining trojans.  In addition to the illegal advertising software embedded in those 3.89 million video cards, their crypto currency mining software was embedded into 1 million additional video cards which were sold and deployed in Internet cafes across the country.
Each time one of those machines successfully mined a coin, the coin was transferred to a wallet owned by He Mou.  Chen Mou could then cash them out at any time in the future.
 16 suspects at the company were interrogated and 12 criminally detained for the crime of illegally controlling computer information systems.  Zhao was sentenced to four years himself.
(I learned of this story from CoinDesk's Wolfie Zhao, and followed up on it from the Legal Daily story he links to as well as a report in Xinhuanet, by Reporter Xy Peng and correspondent Liu Guizeng Wang Yen.) (记者 徐鹏 通讯员 刘贵增 王艳)

Malicious PowerShell Detection via Machine Learning

Introduction

Cyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to install backdoors, execute malicious code, and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial intelligence and machine learning to raise the bar for adversaries that use PowerShell.

In this post you will learn:

  • Why malicious PowerShell can be challenging to detect with a traditional “signature-based” or “rule-based” detection engine.
  • How Natural Language Processing (NLP) can be applied to tackle this challenge.
  • How our NLP model detects malicious PowerShell commands, even if obfuscated.
  • The economics of increasing the cost for the adversaries to bypass security solutions, while potentially reducing the release time of security content for detection engines.

Background

PowerShell is one of the most popular tools used to carry out attacks. Data gathered from FireEye Dynamic Threat Intelligence (DTI) Cloud shows malicious PowerShell attacks rising throughout 2017 (Figure 1).


Figure 1: PowerShell attack statistics observed by FireEye DTI Cloud in 2017 – blue bars for the number of attacks detected, with the red curve for exponentially smoothed time series

FireEye has been tracking the malicious use of PowerShell for years. In 2014, Mandiant incident response investigators published a Black Hat paper that covers the tactics, techniques and procedures (TTPs) used in PowerShell attacks, as well as forensic artifacts on disk, in logs, and in memory produced from malicious use of PowerShell. In 2016, we published a blog post on how to improve PowerShell logging, which gives greater visibility into potential attacker activity. More recently, our in-depth report on APT32 highlighted this threat actor's use of PowerShell for reconnaissance and lateral movement procedures, as illustrated in Figure 2.


Figure 2: APT32 attack lifecycle, showing PowerShell attacks found in the kill chain

Let’s take a deep dive into an example of a malicious PowerShell command (Figure 3).


Figure 3: Example of a malicious PowerShell command

The following is a quick explanation of the arguments:

  • -NoProfile – indicates that the current user’s profile setup script should not be executed when the PowerShell engine starts.
  • -NonI – shorthand for -NonInteractive, meaning an interactive prompt to the user will not be presented.
  • -W Hidden – shorthand for “-WindowStyle Hidden”, which indicates that the PowerShell session window should be started in a hidden manner.
  • -Exec Bypass – shorthand for “-ExecutionPolicy Bypass”, which disables the execution policy for the current PowerShell session (default disallows execution). It should be noted that the Execution Policy isn’t meant to be a security boundary.
  • -encodedcommand – indicates the following chunk of text is a base64 encoded command.

What is hidden inside the Base64 decoded portion? Figure 4 shows the decoded command.


Figure 4: The decoded command for the aforementioned example

Interestingly, the decoded command unveils a stealthy fileless network access and remote content execution!

  • IEX is an alias for the Invoke-Expression cmdlet that will execute the command provided on the local machine.
  • The new-object cmdlet creates an instance of a .NET Framework or COM object, here a net.webclient object.
  • The downloadstring will download the contents from <url> into a memory buffer (which in turn IEX will execute).

It’s worth mentioning that a similar malicious PowerShell tactic was used in a recent cryptojacking attack exploiting CVE-2017-10271 to deliver a cryptocurrency miner. This attack involved the exploit being leveraged to deliver a PowerShell script, instead of downloading the executable directly. This PowerShell command is particularly stealthy because it leaves practically zero file artifacts on the host, making it hard for traditional antivirus to detect.

There are several reasons why adversaries prefer PowerShell:

  1. PowerShell has been widely adopted in Microsoft Windows as a powerful system administration scripting tool.
  2. Most attacker logic can be written in PowerShell without the need to install malicious binaries. This enables a minimal footprint on the endpoint.
  3. The flexible PowerShell syntax imposes combinatorial complexity challenges to signature-based detection rules.

Additionally, from an economics perspective:

  • Offensively, the cost for adversaries to modify PowerShell to bypass a signature-based rule is quite low, especially with open source obfuscation tools.
  • Defensively, updating handcrafted signature-based rules for new threats is time-consuming and limited to experts.

Next, we would like to share how we at FireEye are combining our PowerShell threat research with data science to combat this threat, thus raising the bar for adversaries.

Natural Language Processing for Detecting Malicious PowerShell

Can we use machine learning to predict if a PowerShell command is malicious?

One advantage FireEye has is our repository of high quality PowerShell examples that we harvest from our global deployments of FireEye solutions and services. Working closely with our in-house PowerShell experts, we curated a large training set that was comprised of malicious commands, as well as benign commands found in enterprise networks.

After we reviewed the PowerShell corpus, we quickly realized this fit nicely into the NLP problem space. We have built an NLP model that interprets PowerShell command text, similar to how Amazon Alexa interprets your voice commands.

One of the technical challenges we tackled was synonym, a problem studied in linguistics. For instance, “NOL”, “NOLO”, and “NOLOGO” have identical semantics in PowerShell syntax. In NLP, a stemming algorithm will reduce the word to its original form, such as “Innovating” being stemmed to “Innovate”.

We created a prefix-tree based stemmer for the PowerShell command syntax using an efficient data structure known as trie, as shown in Figure 5. Even in a complex scripting language such as PowerShell, a trie can stem command tokens in nanoseconds.


Figure 5: Synonyms in the PowerShell syntax (left) and the trie stemmer capturing these equivalences (right)

The overall NLP pipeline we developed is captured in the following table:

NLP Key Modules

Functionality

Decoder

Detect and decode any encoded text

Named Entity Recognition (NER)

Detect and recognize any entities such as IP, URL, Email, Registry key, etc.

Tokenizer

Tokenize the PowerShell command into a list of tokens

Stemmer

Stem tokens into semantically identical token, uses trie

Vocabulary Vectorizer

Vectorize the list of tokens into machine learning friendly format

Supervised classifier

Binary classification algorithms:

  • Kernel Support Vector Machine
  • Gradient Boosted Trees
  • Deep Neural Networks

Reasoning

The explanation of why the prediction was made. Enables analysts to validate predications.

The following are the key steps when streaming the aforementioned example through the NLP pipeline:

  • Detect and decode the Base64 commands, if any
  • Recognize entities using Named Entity Recognition (NER), such as the <URL>
  • Tokenize the entire text, including both clear text and obfuscated commands
  • Stem each token, and vectorize them based on the vocabulary
  • Predict the malicious probability using the supervised learning model


Figure 6: NLP pipeline that predicts the malicious probability of a PowerShell command

More importantly, we established a production end-to-end machine learning pipeline (Figure 7) so that we can constantly evolve with adversaries through re-labeling and re-training, and the release of the machine learning model into our products.


Figure 7: End-to-end machine learning production pipeline for PowerShell machine learning

Value Validated in the Field

We successfully implemented and optimized this machine learning model to a minimal footprint that fits into our research endpoint agent, which is able to make predictions in milliseconds on the host. Throughout 2018, we have deployed this PowerShell machine learning detection engine on incident response engagements. Early field validation has confirmed detections of malicious PowerShell attacks, including:

  • Commodity malware such as Kovter.
  • Red team penetration test activities.
  • New variants that bypassed legacy signatures, while detected by our machine learning with high probabilistic confidence.

The unique values brought by the PowerShell machine learning detection engine include:  

  • The machine learning model automatically learns the malicious patterns from the curated corpus. In contrast to traditional detection signature rule engines, which are Boolean expression and regex based, the NLP model has lower operation cost and significantly cuts down the release time of security content.
  • The model performs probabilistic inference on unknown PowerShell commands by the implicitly learned non-linear combinations of certain patterns, which increases the cost for the adversaries to bypass.

The ultimate value of this innovation is to evolve with the broader threat landscape, and to create a competitive edge over adversaries.

Acknowledgements

We would like to acknowledge:

  • Daniel Bohannon, Christopher Glyer and Nick Carr for the support on threat research.
  • Alex Rivlin, HeeJong Lee, and Benjamin Chang from FireEye Labs for providing the DTI statistics.
  • Research endpoint support from Caleb Madrigal.
  • The FireEye ICE-DS Team.