@RISK: The Consensus Security Vulnerability Alert
November 28, 2019 – Vol. 19, Num. 48
=========================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES November 21 – 28, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Old Apache Solr vulnerability raises eyebrows with new POC
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Severity of Apache Solr vulnerability rises after new code emerges
Description: A months-old vulnerability in Apache Solr was recently reclassified as being more serious than initially thought. It was initially believed that this bug would only allow an adversary to access monitoring data on any site utilizing Solr. However, new proof-of-concept code shows it could allow an attacker to remotely execute code on a Solr server. This bug could be exploited by any adversary who has network access to a Solr server and Java Management Extensions. Windows users are reportedly not affected.
Reference: https://securityintelligence.com/news/exploit-code-escalates-apache-solr-vulnerability-to-high-risk-status/
Snort SIDs: 52324, 52325 (By John Levy)
Title: Command injection bug in popular, affordable wireless router
Description: Cisco Talos recently discovered a command injection vulnerability in the Tenda AC9 router. The Tenda AC9 is one of the most popular and affordable dual-band gigabit WiFi routers available online, especially on Amazon. A command injection vulnerability exists in the `/goform/WanParameterSetting` resource. A locally authenticated attacker can execute arbitrary commands to post parameters to execute commands on the router. The attacker can get reverse shell running as root using this command injection.
Reference: https://blog.talosintelligence.com/2019/11/vulnerability-spotlight-tenda-ac9-command-nov-2019.html
Snort SIDs: 50295, 50296 (By Amit Raut)
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The lights used to help guide airplanes to the runway at airports were exposed to the open internet at several airports across the U.S.
https://www.vice.com/en_us/article/7x5nkg/airplane-warning-lights-hacked
American security experts are starting to worry about a new wave of state-sponsored adversaries from countries like Vietnam and Qatar, a pivot from the usual cyber powers like Russia and China.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/11/26/the-cybersecurity-202-u-s-officials-fret-about-hacking-by-a-new-generation-of-nations/5ddc808588e0fa652bbbda37/
The FBI sent a warning to auto manufacturers, warning that adversaries are targeting sensitive data.
https://www.bleepingcomputer.com/news/security/fbi-warns-of-cyber-attacks-targeting-us-automotive-industry/
Jeanette Manfra, one of the longest-tenured officials in U.S. cyber policy, is leaving the public sector for a private job, leaving a massive hole at the Cybersecurity and Infrastructure Security Agency.
https://techcrunch.com/2019/11/21/jeanette-manfra/
Manfra’s departure is just the latest loss for cyber security leadership in Washington. An exodus of election officials have experts worried about the security of the 2020 elections.
https://www.npr.org/2019/11/26/782680291/as-2020-approaches-some-experienced-election-officials-head-to-the-exits
California’s Department of Motor Vehicles makes roughly $50 million a year selling citizens’ drivers license and personal information.
https://www.vice.com/en_us/article/evjekz/the-california-dmv-is-making-dollar50m-a-year-selling-drivers-personal-information
Adversaries are hijacking Docker systems that still have their API endpoints exposed to the internet.
https://www.zdnet.com/article/a-hacking-group-is-hijacking-docker-systems-with-exposed-api-endpoints/
Twitter added new two-factor authentication features, allowing users to register for the extra security step without having to provide their phone number to the social media site.
https://www.theverge.com/2019/11/22/20977436/twitter-2fa-phone-number-authentication-app-security-key
MOST PREVALENT MALWARE FILES November 21 – 28, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
VirusTotal: scan analysis
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd
SHA 256: a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1
MD5: ef048c07855b3ef98bd991c413bc73b1
VirusTotal: scan analysis
Typical Filename: xme64-501.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Razy::tpd
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: c29da492e7e7decebff09ee531f01fc3c3de45e805947093ac0aa7c113b592dc
MD5: b77c0c1ed4cff895bf862cf46b601c84
VirusTotal: scan analysis
Typical Filename: opCS.gif
Claimed Product: N/A
Detection Name: W32.C29DA492E7-100.SBX.TG
SHA 256: 4dac88a67bc3f755c0ef3ceea5515a3e3310820978ef249d1813c9982dc6aadf
MD5: 718d579ea6ea48f95225cc9c794f9703
VirusTotal: scan analysis
Typical Filename: opext.gif
Claimed Product: N/A
Detection Name: W32.4DAC88A67B-100.SBX.TG