Month: March 2019

@RISK: The Consensus Security Vulnerability Alert
March 28, 2019 – Vol. 19, Num. 13
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 21 – 28, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: WordPress plugin vulnerabilities open sites to attack
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Two serious bugs in WordPress affect popular plugins
Description: WordPress patched two vulnerabilities in two of the most popular plugins available on the content management system. They both could allow an attacker to run extensions on top of affected websites. While WordPress has patched these bugs, the two plugins still appear to be downloaded often.
Reference: https://arstechnica.com/information-technology/2019/03/two-serious-wordpress-plugin-vulnerabilities-are-being-exploited-in-the-wild/
Snort SIDs: 49541 – 49543

Title: Trickbot dropping IcedID banking trojan
Description: Security researchers recently discovered that the IcedID banking trojan and the Trickbot dropper may be more closely related than once thought. Ties between the two malware families may even date back to six years ago, although they were discovered about a year apart. Researchers with IBM’s X-Force say there’s been a recent uptick in threat actors working together to deliver different kinds of banking trojans.
Reference: https://securityintelligence.com/the-business-of-organized-cybercrime-rising-Intergang-collaboration-in-2018/
Snort SIDs: 49544 – 49547, 49549 – 49551

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

A cellphone spyware seller left more than 95,000 private photos and 25,000 audio records on an unsecured server accessible to anyone on the internet.
https://motherboard.vice.com/en_us/article/7xnybe/hosting-provider-takes-down-spyware-mobiispy

Several tenants of a New York City apartment building are suing their landlord to remove keyless entry devices on their doors and replace them with physical locks.
https://www.nytimes.com/2019/03/23/nyregion/keyless-apartment-entry-nyc.html

Chinese intelligence agencies are using LinkedIn to recruit foreign military spies.
https://www.cyberscoop.com/linkedin-china-spies-kevin-mallory-ron-hansen/

More than 100,000 GitHub pages contain publicly accessible authentication secrets, including API and cryptographic keys, with thousands more being leaked each day.
https://www.scmagazine.com/home/security-news/paper-leaked-authentication-secrets-rampant-across-github/

ASUS corrected an update on its laptops that may have inadvertently pushed malware known as the “ShadowHammer” backdoor to users’ machines.
https://www.engadget.com/2019/03/26/asus-releases-fix-for-update-tool-malware-attack/

The latest iOS update patched 51 serious vulnerabilities, including one in an app that could have allowed an attacker to listen through an iPhone’s microphone without the user’s knowledge.
https://www.zdnet.com/article/ios-12-1-fixes-bug-that-granted-apps-hidden-access-to-the-microphone/

MOST PREVALENT MALWARE FILES March 21 – 28, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b
MD5: f22a024b4c98534e8ba7a1c03b0b6132
VirusTotal: scan analysis
Typical Filename: unpacknw.zip
Claimed Product: N/A
Detection Name: Osx.Malware.Bpbw::agent.tht.talos

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 4958c38ba2d7def9ba44c5382f2c5a41c619d5a5eedfb8ac4697dbf75c306933
MD5: 6b62b380b8b14b261c5bfdfe7b017cdd
VirusTotal: scan analysis
Typical Filename: csrs.exe
Claimed Product: Microsoft(R) Windows(R) Operating System
Detection Name: Win.Dropper.Shelma::1201

SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
VirusTotal: scan analysis
Typical Filename: ok.exe
Claimed Product: \0x6613\0x8BED\0x8A00\0x7A0B\0x5E8F
Detection Name: W32.Trojangen:TR.22ew.1201

SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
VirusTotal: scan analysis
Typical Filename: u.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201

@RISK: The Consensus Security Vulnerability Alert
March 21, 2019 – Vol. 19, Num. 12
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 14 – 21, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Malicious WordPress comments could lead to complete site takeovers
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Latest WordPress version fixes critical vulnerability
Description: The latest update from WordPress fixes a critical vulnerability that could allow an attacker to completely take over a site. The bug opened sites to be attacked via malicious comments that contain cross-site scripting if sites had the comments module enabled. Around 20,000 sites have already been impacted by this exploit.
Reference: https://www.bleepingcomputer.com/news/security/wordpress-511-fixes-xss-vulnerability-leading-to-website-takeovers/
Snort SIDs: 49448

Title: Multiple vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud
Description: Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.
Reference: https://blog.talosintelligence.com/2019/03/vuln-spotlight-cujo.html
Snort SIDs: 47234, 47663, 47809, 47811, 47842, 48261, 48262

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Several high-profile companies may have issued 1 million digital certificates that do not actually meet industry requirements.
https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/

U.S. immigration agents have access to a database of American citizens’ location based on their license plate number.
https://www.aclunc.org/blog/documents-reveal-ice-using-driver-location-data-local-police-deportations

The U.S. Department of Defense is working on a $10 million open-source voting system that would deter attacks and also allow voters to check that their votes were counted correctly.
https://motherboard.vice.com/en_us/article/yw84q7/darpa-is-building-a-dollar10-million-open-source-secure-voting-system

Norwegian aluminum company Norsk Hydro had their operations interrupted in the U.S. and Europe due to a ransomware attack.
https://www.bloomberg.com/news/articles/2019-03-19/norsk-hydro-ransomware-attack-is-severe-but-all-too-common

Germany is considering legislation that would impose harsh punishment on people who provided digital infrastructure for illegal online activities.
https://www.zdnet.com/article/dark-web-crackdown-germans-want-to-criminalize-anyone-providing-a-platform/

Google made its Sandboxed API open-source to help developers create more secure software.
https://www.securityweek.com/google-open-sources-sandboxed-api

MOST PREVALENT MALWARE FILES March 14 – 21, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: aae728ffb953cfcc573c82b63eef7603c9b29c95f42bb032b790d6d51813f7c3
MD5: ee445f9fa6296b611c72bc81d8f6c19a
VirusTotal: scan analysis
Typical Filename: wusa.exe
Claimed Product: Microsoft® Windows® Operating System
Detection Name: W32.aae728ffb9.Malspam.MRT.Talos

SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
VirusTotal: scan analysis
Typical Filename: ups.rar
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201

SHA 256: fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5
MD5: bc7fc83ce9762eb97dc28ed1b79a0a10
VirusTotal: scan analysis
Typical Filename: max.exe
Claimed Product: WPS Office
Detection Name: W32.Agent:Malwaregen.22em.1201

SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b
MD5: f22a024b4c98534e8ba7a1c03b0b6132
VirusTotal: scan analysis
Typical Filename: unpacknw.zip
Claimed Product: N/A
Detection Name: Osx.Malware.Bpbw::agent.tht.talos

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201

@RISK: The Consensus Security Vulnerability Alert
March 14, 2019 – Vol. 19, Num. 11
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 7 – 14, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Microsoft discloses 64 vulnerabilities as part of Patch Tuesday
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Patch Tuesday includes 17 critical Microsoft vulnerabilities
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2.
Reference: https://blog.talosintelligence.com/2019/03/microsoft-patch-tuesday-march-2019.html
Snort SIDs: 45142, 45143, 46554, 46555, 48051, 48052, 49172, 49173, 49364 – 49369, 49371, 49372, 49378 – 49395, 49400 – 49403

Title: Multiple vulnerabilities in Pixar Renderman
Description: The MacOS version of Pixar Renderman contains three local vulnerabilities in its install helper tool. An attacker could exploit these bugs to escalate their privileges to root. Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.
Reference: https://blog.talosintelligence.com/2019/03/vuln-spotlight-pixar-renderman-local-2019.html
Snort SIDs: 48450 – 48453, 49088, 49089

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Iranian hackers stole an estimated six terabytes of data off of Citrix networks, including e-mails and files stored on sharing services.
https://www.forbes.com/sites/kateoflahertyuk/2019/03/10/citrix-data-breach-heres-what-to-do-next/#49654a741476

Several popular car alarm systems can be bypassed and turned off remotely by attackers, according to new research.
https://www.bbc.com/news/technology-47485731

Google Chrome pushed users to upgrade to Windows 10 after the web browser disclosed a zero-day bug in Windows 7 and Chrome that could allow attackers to push malicious code to users.
https://www.theverge.com/2019/3/8/18256335/google-chrome-windows-against-zero-day-vulnerabilities-update

A new report from the U.S.’s Office of the Inspector General warns that NASA has serious cybersecurity holes that could open the space agency to an attack from a nation-state actor.
https://www.infosecurity-magazine.com/news/nasas-poor-cybersecurity-1-1-1/

Adobe patched critical vulnerabilities in Photoshop and Digital Editions as part of its monthly security update.
https://www.bleepingcomputer.com/news/security/adobe-releases-march-2019-security-fixes-for-photoshop-cc-and-digital-editions/

Social media hackers have stepped up their efforts over the past few months to reinforce pro-Brexit sentiment as the British government works on a deal to leave the European Union.
https://www.securityweek.com/pro-brexit-twitter-manipulation-continues

MOST PREVALENT MALWARE FILES March 7 – 14, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
MD5: 38de5b216c33833af710e88f7f64fc98
VirusTotal: scan analysis
Typical Filename: SECOH-QAD.exe
Claimed Product: N/A
Detection Name: W32.Hacktool.22ei.1201

SHA 256: 225bb8a1bdcd0132a3624fde62f109a4d59056bc7418a7838b6ac0997127259b
MD5: f953dd9537961aa72648f39379b7ff51
VirusTotal: scan analysis
Typical Filename: SOA.doc
Claimed Product: N/A
Detection Name: W32.225BB8A1BD-95.SBX.TG

SHA 256: 6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671
MD5: b23f736c46d9fa238b02c9eb0cea37cf
VirusTotal: scan analysis
Typical Filename: CONFIGURETGN.EXE
Claimed Product: N/A
Detection Name: Win.Malware.Generic::in03.talos

SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
MD5: 1a5a7532854ab45ac74b1c657fe47941
VirusTotal: scan analysis
Typical Filename: helperamc.zip
Claimed Product: Advanced Mac Cleaner
Detection Name: W32.18042540B3-95.SBX.TG

SHA 256: 60c5f5f3b78b151fe6a01d4957ad536496b646e9d8288703d10fb8a03afb3b64
MD5: efcaf7a94501ad0c9a37f459a91e493f
VirusTotal: scan analysis
Typical Filename: 1SOAJAN19_exe.bin
Claimed Product: MONARCHOMACHIC9
Detection Name: W32.60C5F5F3B7-100.SBX.T