@RISK: The Consensus Security Vulnerability Alert
September 26, 2019 – Vol. 19, Num. 39
=========================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 19 – 26, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Emotet returns after a quiet summer
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New Emotet campaign emerges, but protection stays the same
Description: At the beginning of June 2019, Emotet’s operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer draws to a close, Cisco Talos and other researchers started to see increased activity in Emotet’s C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. The malware still mainly relies on socially engineered spam emails to spread. Once the attackers have swiped a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads.
Reference: https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html
Snort SIDs: 47616, 47617, 48402, 49889, 43890 – 43892, 44559, 44560
Title: Aspose PDF API contains multiple remote code execution vulnerabilites
Description: There are multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-aspose-PDF-API-sept-2019.html
Snort SIDs: 50730, 50731, 50738, 50739
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple’s iOS is now widely available on streaming devices, and it comes with a slew of new privacy and security features.
https://www.wired.com/story/ios-13-security-privacy-features-settings/
However, the initial release contains a bug where the iPhone will ignore certain location services features if the user has set an app to “never” track their location.
https://www.forbes.com/sites/kateoflahertyuk/2019/09/23/apple-confirms-ios-13-location-privacy-bug-impacting-millions-of-iphone-users/#3eb5f3a6fac8
The FBI reportedly uses a large number of secret subpoenas to obtain information about private companies, specifically in the tech industry.
https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html
Software firm Chef is cancelling its contract with U.S. ICE after a former employee deleted open-source code in protest.
https://www.vice.com/en_us/article/qvg3q5/chef-not-renewing-ice-immigration-customs-enforcem
Dozens of YouTube content creators had their accounts hijacked over the past week, likely the result of a phishing scam where attackers lured channel owners to a malicious website and stole their login credentials.
https://www.zdnet.com/article/massive-wave-of-account-hijacks-hits-youtube-creators/
Microsoft released an out-of-band patch for Internet Explorer that fixes a critical vulnerability in the web browser that could be used to take over the victim’s entire machine.
https://www.pcworld.com/article/3440556/a-new-internet-explorer-bug-can-take-over-your-entire-pc-so-stop-using-it.html
The U.S. is reportedly looking into several options to carry out a cyber attack on Iran that would hamper its ability to disrupt the Middle East while avoiding kinetic warfare.
https://www.nytimes.com/2019/09/23/world/middleeast/iran-cyberattack-us.html
MOST PREVALENT MALWARE FILES September 19 – 26, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: scan analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG