@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 17

@RISK: The Consensus Security Vulnerability Alert
April 25, 2019 – Vol. 19, Num. 17
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 17 – 24, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Sea Turtle campaign targets well-known DNSs
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Sea Turtle campaign highlights dangers of DNS hijacking
Description: Cisco Talos discovered a new cyber threat campaign called “Sea Turtle,” which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. The investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. Talos assesses with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.
Reference: https://blog.talosintelligence.com/2019/04/seaturtle.html
Snort SIDs: 2281, 31975 – 31978, 31985, 32038, 32039, 32041 – 32043, 32069, 32335, 32336, 41909, 41910, 43424 – 43432, 44531, 46897, 46316

Title: Cisco discloses 31 vulnerabilities, including some critical
Description: Cisco released advisories for 31 vulnerabilities last week, including “critical” patches for its IOS and IOS XE Software Cluster Management and IOS software for the Cisco ASR 9000 series of routers. Other vulnerabilities also deal with Cisco Wireless LAN Controllers. If unpatched, an attacker could exploit these vulnerabilities to carry out denial-of-service attacks or gain the ability to remotely execute code.
Reference: https://www.networkworld.com/article/3390159/cisco-warns-wlan-controller-9000-series-router-and-iosxe-users-to-patch-urgent-security-holes.html
Snort SIDs: 49858, 49859, 49866, 49867, 49879

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Facebook says it may have “unintentionally uploaded” 1.5 million users’ email contacts without their permission.
https://www.usatoday.com/story/tech/news/2019/04/18/facebook-1-5-million-users-email-contacts-uploaded-unintentionally-without-permission/3505556002/

The source code of the Carbanak malware began appearing on VirusTotal this week.
https://www.securityweek.com/carbanak-source-code-discovered-virustotal

The U.S. says a cyber attack against Japan could be considered an act of war under a security agreement between the two countries.
https://qz.com/1600574/a-cyber-attack-in-japan-could-now-bring-the-us-into-war/

Government leaders from Singapore say a recent string of data leaks and cyber attacks will not prevent the country from moving forward in building what it calls a “Smart Nation.”
https://www.bloomberg.com/news/articles/2019-04-20/security-breaches-won-t-derail-singapore-s-tech-push-minister

A recent study found that, in the U.K., the the password “123456” was the most commonly among users who were breached last year.
https://www.bbc.com/news/technology-47974583

The Weather Channel was taken off-air for more than an hour last week due to a ransomware attack. The FBI launched an investigation into the attack.
https://www.theverge.com/2019/4/19/18507869/weather-channel-ransomware-attack-tv-program-cable-off-the-air

MOST PREVALENT MALWARE FILES April 17 – 24, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
VirusTotal: scan analysis
Typical Filename: max.exe
Claimed Product: \0x6613\0x8BED\0x8A00\0x7A0B\0x5E8F
Detection Name: Win.Dropper.Armadillo::1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201

SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
VirusTotal: scan analysis
Typical Filename: u.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201