@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 44

@RISK: The Consensus Security Vulnerability Alert
October 31, 2019 – Vol. 19, Num. 44
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 24 – 31, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: OceanLotus APT part of renewed push in mobile malware space
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Nation-state actors are behind new slew of mobile malware
Description: A new report highlights how nation-state-backed APTs are utilizing the mobile malware space to conduct espionage activities on their own citizens. Security researchers at BlackBerry discovered new campaigns from actors linked to the Chinese, Iranians, Vietnamese and North Koreans. Among these attackers is the infamous OceanLotus group, which has launched a new attack that contains both mobile and desktop components. OceanLotus is deploying malicious apps onto mobile stores that “spy” on the user’s device.
Reference: https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html
Snort SIDs: 52004, 52005

Title: Denial of service in VMWare Fusion
Description: VMware Fusion 11 contains an exploitable denial-of-service vulnerability. VMWare Fusion is an application for Mac operating systems that allows users to run other OSs in a virtual environment, such as Windows and Linux. An attacker could exploit this vulnerability by supplying a malformed pixel shader inside of a VMware guest OS. This vulnerability can be triggered from a VMware guest and the VMware host will be affected, leading to a VMware fusion process crash on the host.
Reference: https://blog.talosintelligence.com/2019/10/vuln-spotlight-vmware-fusion-oct-19-dos.html
Snort SIDs: 50502, 50503

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Researchers from Microsoft say the well-known Russian APT group Fancy Bear may be looking to disrupt the 2020 Summer Olympics by attacking anti-doping agencies.
https://www.pcmag.com/news/371602/microsoft-russian-hackers-might-be-targeting-2020-olympics

Google Home and Nest users are being urged to update their devices as soon as possible to patch a vulnerability that allowed some third-party apps to eavesdrop on voice recordings.
https://www.cnet.com/how-to/update-your-google-home-security-settings-to-protect-against-eavesdroppers/

China recently adopted a new set of policies it says boosts its domestic cyber security, but skeptics say its actually just an attempt to collect more data on its citizens.
https://www.csoonline.com/article/3448578/chinas-mlps-20-data-grab-or-legitimate-attempt-to-improve-domestic-cybersecurity.html

A North Korean hacking group was reportedly able to obtain domain controller-level access to a crucial nuclear power plant in India; it appears the goal of the campaign was to steal information, not cause any damage to the plant.
https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/

The U.S. Federal Communications Commission is considering new rules that would require telecommunications companies to remove all Huawei and ZTE components from its equipment.
https://techcrunch.com/2019/10/28/fcc-rules-huawei-zte/

The country of Georgia was hit with a massive cyber attack Tuesday, taking down more than 2,000 websites and disrupting the national TV station.
https://www.bbc.com/news/technology-50207192

A new device disguised as a phone charger takes over users’ phones and interacts with pages on Google, Amazon, and other websites in an attempt to degrade the reliability of information collected by data brokers.
https://www.vice.com/en_us/article/mbm4da/this-charger-takes-over-your-phone-to-poison-the-ad-data-amazon-wants

New malware discovered on Android phones cannot be removed, even after a factory reset of the device, as it continues to reinstall itself.
https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/

MOST PREVALENT MALWARE FILES October 24 – 31, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: virus analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: virus analysis
Typical Filename: qmreportupload
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: virus analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: virus analysis
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: 6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854
MD5: 74f4e22e5be90d152521125eaf4da635
VirusTotal: virus analysis
Typical Filename: jsonMerge.exe
Claimed Product: ITSPlatform
Detection Name: W32.GenericKD:Attribute.22lk.1201

Latest news from Naked Security (2019/10/31)

Linux maintainer: Patching side-channel flaws is killing performance

Mirror, mirror on the wall, which is the worst side-channel vulnerability of them all?

Judge lambasts porn company for spewing copyright lawsuits

A US court shielded ISP account holders from a request for expedited discovery to see whose IP addresses were used to share pirated videos.

Researchers find hole in EU-wide identity system

The EU has fixed a flaw in the powerful yet complex eIDAS digital identification system that let people authenticate as someone else.

WhatsApp sues spyware maker for allegedly hacking phones worldwide

WhatsApp has publicly attributed the attack on its users in May 2019 to the Israeli spyware makers, NSO Group.

Latest news from Naked Security (2019/10/30)

Got an early iPhone or iPad? Update now or turn it into a paperweight

Calling Apple iPhone 5, iPhone 4s or early iPad owners – your device may be about to turn into a vintage technology paperweight.

Sextortion scammers are hijacking blogs – and victims are paying up

Sextortion scammers have started hijacking poorly managed or defunct blogs to expand an increasingly profitable business.

Facebook launches $2m suit against alleged phishing, hacking sites

Facebook is using trademark law to target the operators of sites that imitate or target Facebook and Instagram sites.

Uber sues LA in bid to protect scooter riders’ geolocation data

The anonymized real-time location data the city’s after can easily be associated with riders, thereby jeopardizing their privacy, Uber says.