@RISK: The Consensus Security Vulnerability Alert
October 24, 2019 – Vol. 19, Num. 43
=========================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 17 – 24, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Gustuff banking trojan with new features, larger target base
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Gustuff V2
Description: The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS. The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions.
Reference: https://blog.talosintelligence.com/2019/10/gustuffv2.html
Snort SIDs: 51908 – 51922
Title: Attackers use malicious GIFs to attack WhatsApp
Description: The WhatsApp messaging app contains a double-free vulnerability. An attacker could exploit this vulnerability, identified as CVE-2019-11932, to carry out a variety of malicious activities, including memory leaks and arbitrary code execution. The exploitation of this bug requires the attacker to send a WhatsApp user a specially crafted GIF. These rules prevent attackers from carry out remote code execution through these GIFs.
Reference: https://www.zdnet.com/article/whatsapp-vulnerability-exploited-through-malicious-gifs-to-hijack-chat-sessions/
Snort SIDs: 51953 – 51956 (By Tim Muniz)
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The U.S. Department of Justice says it took down the largest child pornography darknet site in the world, arrested more than 300 users and organizers.
https://www.cnn.com/2019/10/16/politics/doj-darknet-child-pornography-takedown/index.html
Samsung publicly acknowledged a vulnerability in the S10 smartphone that could allow anyone’s fingerprint to unlock the device and promised to patch it as soon as possible.
https://www.bbc.com/news/technology-50080586
One of the best-known hacking groups behind the disruption of the 2016 U.S. presidential election is still active, albeit not as publicly.
https://www.cyberscoop.com/cozy-bear-return-espionage-russian-hacking/
The newest update to Google Chrome includes “site isolation,” which protects users from the theft of their passwords stored in the browser.
https://arstechnica.com/information-technology/2019/10/chrome-rolls-out-new-protections-preventing-password-and-data-theft/
The U.K. says Russian-linked hacking groups stole tools from the well-known Oilrig APT in an attempt to carry out attacks on more than 35 countries.
https://www.ft.com/content/b947b46a-f342-11e9-a79c-bc9acae3b654
Several security and technology vendors formed a new group aimed at better protecting American infrastructure, including utilities and the oil and gas industries.
https://www.zdnet.com/article/tech-security-vendors-form-group-to-address-operational-technology-cybersecurity-risks/
German manufacturer Pilz says many of its systems are still offline a week after a ransomware attack, affecting the delivery of shipments and loss of internal communications.
https://www.infosecurity-magazine.com/news/german-giant-pilz-down-after/
Popular VPN service NordVPN confirmed it was hacked after weeks of reports that the company had an expired internal private key exposed.
https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/
MOST PREVALENT MALWARE FILES October 17 – 24, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: scan analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysis
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201