Latest news from Naked Security (2019/05/31)

Unpatched Docker bug allows read-write access to host OS

Suse developer Aleksa Sarai has uncovered a bug in the way that the container framework handles path names.

Flipboard data breach – what users should do now

Hugely popular news aggregation site Flipboard – one billion app downloads from Google Play and counting – has become the latest internet company to admit it has suffered a breach.

Foreign spies may be hiding in your VPN, warns DHS

“…nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes.”

Facial recognition used to strip adult industry workers of anonymity

A name-and-shame database is supposed to “save” husbands from wives who have appeared on porn sites.

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 22

@RISK: The Consensus Security Vulnerability Alert
May 30, 2019 – Vol. 19, Num. 22
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES May 23 -30, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Another zero-day vulnerability exposed in Internet Explorer
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Vulnerability could allow JavaScript to be injected into Internet Explorer 11
Description: Researchers uncovered another Microsoft zero-day vulnerability. One of the critical bugs could allow an attacker to inject a DLL into Internet Explorer 11. After the injection, the exploit opens a filepicker and an HTML page that contains JavaScript that executes in a lower security context. There is also a zero-day privilege escalation vulnerability in Windows Error Reporting.
Reference: https://www.bleepingcomputer.com/news/microsoft/poc-exploits-released-for-two-more-windows-vulnerabilities/
Snort SIDs: 50183, 50184

Title: Winnti malware now appears on Linux
Description: A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files – a main backdoor and a library that can hide the malware’s activity. Winnti’s primary role is to handle communications and deploy other modules directly from the command and control (C2) server.
Reference: https://www.scmagazine.com/home/security-news/malware/googles-chronicle-security-team-discovered-a-linux-version-of-the-winnti-malware-was-used-in-the-2015-hack-of-a-vietnamese-gaming-company/
Snort SIDs: 50164 – 50167

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Title insurance company First American Financial Corp. leaked hundreds of millions of documents related to mortgage deals dating back to 2003.
https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/

Hackers claim to have stolen the personal data of millions of Australian graphic design startup Canva’s users.
https://www.zdnet.com/article/australian-tech-unicorn-canva-suffers-security-breach/

An estimated one million devices are still vulnerable to the wormable vulnerability that people are calling “BlueKeep,” which Microsoft disclosed earlier this month.
https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/

Snapchat pushed back on a report that some of its employees used privileged access to spy on some users.
https://www.infosecurity-magazine.com/news/snapchat-claims-of-employees-1/

The U.S. charged WikiLeaks founder Julian Assange with 17 criminal charges for soliciting, receiving and publishing national secrets.
https://www.buzzfeednews.com/article/zoetillman/julian-assange-wikileaks-new-charges-us

A phony, malicious app on the Google Play store that steals users’ cryptocurrencies was downloaded more than 1,000 times before being removed recently.
https://techcrunch.com/2019/05/23/cryptocurrency-stealing-android-app/

Several lawmakers are upset that a former NSA hacking tool is behind several cyberattacks against American cities, most recently Baltimore. However, many researchers say it is on end-users to patch their machines and protect them from these kinds of vulnerabilities.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/05/28/the-cybersecurity-202-security-pros-divided-over-nsa-s-responsibility-for-baltimore-hack/5cec79771ad2e52231e8e80f/

MOST PREVALENT MALWARE FILES May 23 – 30, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950
MD5: b9a5e492a6c4dd618613b1a2a9c6a4fb
VirusTotal: scan analysis
Typical Filename: maf-task.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::221862.in02

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

Latest news from Naked Security (2019/05/30)

The cryptominer that kept coming back

A Monero cryptominer made a home on an Apache Tomcat server and just wouldn’t stay away.

New Zealand’s “hacked” budget was found on a website

Police close their investigation, concluding that New Zealand’s “wellbeing” budget wasn’t hacked.

A million devices still vulnerable to ‘wormable’ RDP hole

An internet-wide scan has revealed almost one million devices vulnerable to CVE-2019-0708.

What a teen grade hacker’s confession can teach us

“We had access to the grade book. Now we could change the grades.”