@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 44

@RISK: The Consensus Security Vulnerability Alert
October 31, 2019 – Vol. 19, Num. 44
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 24 – 31, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: OceanLotus APT part of renewed push in mobile malware space
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Nation-state actors are behind new slew of mobile malware
Description: A new report highlights how nation-state-backed APTs are utilizing the mobile malware space to conduct espionage activities on their own citizens. Security researchers at BlackBerry discovered new campaigns from actors linked to the Chinese, Iranians, Vietnamese and North Koreans. Among these attackers is the infamous OceanLotus group, which has launched a new attack that contains both mobile and desktop components. OceanLotus is deploying malicious apps onto mobile stores that “spy” on the user’s device.
Reference: https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html
Snort SIDs: 52004, 52005

Title: Denial of service in VMWare Fusion
Description: VMware Fusion 11 contains an exploitable denial-of-service vulnerability. VMWare Fusion is an application for Mac operating systems that allows users to run other OSs in a virtual environment, such as Windows and Linux. An attacker could exploit this vulnerability by supplying a malformed pixel shader inside of a VMware guest OS. This vulnerability can be triggered from a VMware guest and the VMware host will be affected, leading to a VMware fusion process crash on the host.
Reference: https://blog.talosintelligence.com/2019/10/vuln-spotlight-vmware-fusion-oct-19-dos.html
Snort SIDs: 50502, 50503

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Researchers from Microsoft say the well-known Russian APT group Fancy Bear may be looking to disrupt the 2020 Summer Olympics by attacking anti-doping agencies.
https://www.pcmag.com/news/371602/microsoft-russian-hackers-might-be-targeting-2020-olympics

Google Home and Nest users are being urged to update their devices as soon as possible to patch a vulnerability that allowed some third-party apps to eavesdrop on voice recordings.
https://www.cnet.com/how-to/update-your-google-home-security-settings-to-protect-against-eavesdroppers/

China recently adopted a new set of policies it says boosts its domestic cyber security, but skeptics say its actually just an attempt to collect more data on its citizens.
https://www.csoonline.com/article/3448578/chinas-mlps-20-data-grab-or-legitimate-attempt-to-improve-domestic-cybersecurity.html

A North Korean hacking group was reportedly able to obtain domain controller-level access to a crucial nuclear power plant in India; it appears the goal of the campaign was to steal information, not cause any damage to the plant.
https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/

The U.S. Federal Communications Commission is considering new rules that would require telecommunications companies to remove all Huawei and ZTE components from its equipment.
https://techcrunch.com/2019/10/28/fcc-rules-huawei-zte/

The country of Georgia was hit with a massive cyber attack Tuesday, taking down more than 2,000 websites and disrupting the national TV station.
https://www.bbc.com/news/technology-50207192

A new device disguised as a phone charger takes over users’ phones and interacts with pages on Google, Amazon, and other websites in an attempt to degrade the reliability of information collected by data brokers.
https://www.vice.com/en_us/article/mbm4da/this-charger-takes-over-your-phone-to-poison-the-ad-data-amazon-wants

New malware discovered on Android phones cannot be removed, even after a factory reset of the device, as it continues to reinstall itself.
https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/

MOST PREVALENT MALWARE FILES October 24 – 31, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: virus analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: virus analysis
Typical Filename: qmreportupload
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: virus analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: virus analysis
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: 6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854
MD5: 74f4e22e5be90d152521125eaf4da635
VirusTotal: virus analysis
Typical Filename: jsonMerge.exe
Claimed Product: ITSPlatform
Detection Name: W32.GenericKD:Attribute.22lk.1201

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 43

@RISK: The Consensus Security Vulnerability Alert
October 24, 2019 – Vol. 19, Num. 43
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 17 – 24, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Gustuff banking trojan with new features, larger target base
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Gustuff V2
Description: The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS. The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions.
Reference: https://blog.talosintelligence.com/2019/10/gustuffv2.html
Snort SIDs: 51908 – 51922

Title: Attackers use malicious GIFs to attack WhatsApp
Description: The WhatsApp messaging app contains a double-free vulnerability. An attacker could exploit this vulnerability, identified as CVE-2019-11932, to carry out a variety of malicious activities, including memory leaks and arbitrary code execution. The exploitation of this bug requires the attacker to send a WhatsApp user a specially crafted GIF. These rules prevent attackers from carry out remote code execution through these GIFs.
Reference: https://www.zdnet.com/article/whatsapp-vulnerability-exploited-through-malicious-gifs-to-hijack-chat-sessions/
Snort SIDs: 51953 – 51956 (By Tim Muniz)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The U.S. Department of Justice says it took down the largest child pornography darknet site in the world, arrested more than 300 users and organizers.
https://www.cnn.com/2019/10/16/politics/doj-darknet-child-pornography-takedown/index.html

Samsung publicly acknowledged a vulnerability in the S10 smartphone that could allow anyone’s fingerprint to unlock the device and promised to patch it as soon as possible.
https://www.bbc.com/news/technology-50080586

One of the best-known hacking groups behind the disruption of the 2016 U.S. presidential election is still active, albeit not as publicly.
https://www.cyberscoop.com/cozy-bear-return-espionage-russian-hacking/

The newest update to Google Chrome includes “site isolation,” which protects users from the theft of their passwords stored in the browser.
https://arstechnica.com/information-technology/2019/10/chrome-rolls-out-new-protections-preventing-password-and-data-theft/

The U.K. says Russian-linked hacking groups stole tools from the well-known Oilrig APT in an attempt to carry out attacks on more than 35 countries.
https://www.ft.com/content/b947b46a-f342-11e9-a79c-bc9acae3b654

Several security and technology vendors formed a new group aimed at better protecting American infrastructure, including utilities and the oil and gas industries.
https://www.zdnet.com/article/tech-security-vendors-form-group-to-address-operational-technology-cybersecurity-risks/

German manufacturer Pilz says many of its systems are still offline a week after a ransomware attack, affecting the delivery of shipments and loss of internal communications.
https://www.infosecurity-magazine.com/news/german-giant-pilz-down-after/

Popular VPN service NordVPN confirmed it was hacked after weeks of reports that the company had an expired internal private key exposed.
https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

MOST PREVALENT MALWARE FILES October 17 – 24, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: scan analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysis
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 42

@RISK: The Consensus Security Vulnerability Alert
October 17, 2019 – Vol. 19, Num. 42
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 10 – 17, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: WebKit bug affects Safari, Chrome users
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Apple WebKit opens users up to malicious advertising
Description: Multiple vulnerabilities in Apple’s WebKit are allowing attackers to serve users’ malicious advertisements. This campaign affected the Google Chrome and Safari web browsers on iOS and MacOS, but the vulnerabilities were all patched out in Apple’s latest series of security updates. All the ads centered around the user’s specific mobile carrier, hoping to entice them to visit malicious websites. The vulnerabilities would allow the ads to break out of any sandboxes in place.
Reference: https://9to5mac.com/2019/10/02/scam-popup-ads/
Snort SIDs: 51821 – 51824, 51831, 58132 (By John Levy)

Title: Remote code execution bug in vBulletin
Description: A now-patched vulnerability in the popular service vBulletin is allowing attackers to completely take over sites that use the software. vBulletin powers the commenting functions for many popular sites. An attacker could exploit this vulnerability to gain the ability to remotely execute malicious code on any vBulletin server running versions 5.0.0 through 5.5.4. This bug was initially dropped as a zero-day by an anonymous user, but has since been patched by the company. The Snort rules below prevent any attempt to inject code into the server using this bug. Marcos Rodriguez wrote these rules.
Reference: https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/
Snort SIDs: 51834 – 51837 (By Marcos Rodriguez)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Two high-profile Moroccan activists had their mobile phones targeted by the Israeli-connected Pegasus spyware.
https://arstechnica.com/information-technology/2019/10/activists-phones-targeted-by-one-of-the-worlds-most-advanced-espionage-apps/

Google’s new Pixel 4 and Pixel XL will have the ability to transcribe users’ voice recordings in notes mode, even if the device is offline.
https://techcrunch.com/2019/10/15/googles-new-voice-recorder-app-transcribes-in-real-time-even-when-offline/

A new wave of ATM “jackpotting” malware has hit banks across the globe, forcing ATMs to randomly spit out all of the money they contain.
https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world

GitHub continues to receive pushback for its connection to China and U.S. Immigration and Customs Enforcement, even holding a secret meeting with its employees to discuss renewing the company’s contract with ICE.
https://www.theverge.com/2019/10/10/20908713/github-ceo-china-transcript-leak-microsoft

Mozilla says it’s better protecting Firefox from code injection attacks by removing inline scripts in the web browser.
https://www.zdnet.com/article/mozilla-to-firefox-users-heres-how-were-protecting-you-from-code-injection-attacks/

Any escalation of cyber war between the U.S. and Iran could have wide-ranging consequences, with the worst possible scenario being the deployment of Stuxnet.
https://www.cpomagazine.com/cyber-security/cyber-war-between-iran-and-united-states-could-have-far-reaching-implications/

A popular app highly promoted by China’s government may actually be giving them the ability to monitor more than 100 million users’ habits and copy the data from their mobile device.
https://www.bbc.com/news/technology-50042379

A popular underground marketplace for stolen credit card information was hacked, and a text file containing all the information in the store was shared with financial institutions who could alert the owners of the cards.
https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-26m-stolen-cards/

MOST PREVALENT MALWARE FILES October 10 – 17, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysisils
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: scan analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG