@RISK: The Consensus Security Vulnerability Alert
October 31, 2019 – Vol. 19, Num. 44
=========================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 24 – 31, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: OceanLotus APT part of renewed push in mobile malware space
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Nation-state actors are behind new slew of mobile malware
Description: A new report highlights how nation-state-backed APTs are utilizing the mobile malware space to conduct espionage activities on their own citizens. Security researchers at BlackBerry discovered new campaigns from actors linked to the Chinese, Iranians, Vietnamese and North Koreans. Among these attackers is the infamous OceanLotus group, which has launched a new attack that contains both mobile and desktop components. OceanLotus is deploying malicious apps onto mobile stores that “spy” on the user’s device.
Reference: https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html
Snort SIDs: 52004, 52005
Title: Denial of service in VMWare Fusion
Description: VMware Fusion 11 contains an exploitable denial-of-service vulnerability. VMWare Fusion is an application for Mac operating systems that allows users to run other OSs in a virtual environment, such as Windows and Linux. An attacker could exploit this vulnerability by supplying a malformed pixel shader inside of a VMware guest OS. This vulnerability can be triggered from a VMware guest and the VMware host will be affected, leading to a VMware fusion process crash on the host.
Reference: https://blog.talosintelligence.com/2019/10/vuln-spotlight-vmware-fusion-oct-19-dos.html
Snort SIDs: 50502, 50503
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Researchers from Microsoft say the well-known Russian APT group Fancy Bear may be looking to disrupt the 2020 Summer Olympics by attacking anti-doping agencies.
https://www.pcmag.com/news/371602/microsoft-russian-hackers-might-be-targeting-2020-olympics
Google Home and Nest users are being urged to update their devices as soon as possible to patch a vulnerability that allowed some third-party apps to eavesdrop on voice recordings.
https://www.cnet.com/how-to/update-your-google-home-security-settings-to-protect-against-eavesdroppers/
China recently adopted a new set of policies it says boosts its domestic cyber security, but skeptics say its actually just an attempt to collect more data on its citizens.
https://www.csoonline.com/article/3448578/chinas-mlps-20-data-grab-or-legitimate-attempt-to-improve-domestic-cybersecurity.html
A North Korean hacking group was reportedly able to obtain domain controller-level access to a crucial nuclear power plant in India; it appears the goal of the campaign was to steal information, not cause any damage to the plant.
https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/
The U.S. Federal Communications Commission is considering new rules that would require telecommunications companies to remove all Huawei and ZTE components from its equipment.
https://techcrunch.com/2019/10/28/fcc-rules-huawei-zte/
The country of Georgia was hit with a massive cyber attack Tuesday, taking down more than 2,000 websites and disrupting the national TV station.
https://www.bbc.com/news/technology-50207192
A new device disguised as a phone charger takes over users’ phones and interacts with pages on Google, Amazon, and other websites in an attempt to degrade the reliability of information collected by data brokers.
https://www.vice.com/en_us/article/mbm4da/this-charger-takes-over-your-phone-to-poison-the-ad-data-amazon-wants
New malware discovered on Android phones cannot be removed, even after a factory reset of the device, as it continues to reinstall itself.
https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/
MOST PREVALENT MALWARE FILES October 24 – 31, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: virus analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: virus analysis
Typical Filename: qmreportupload
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: virus analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: virus analysis
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201
SHA 256: 6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854
MD5: 74f4e22e5be90d152521125eaf4da635
VirusTotal: virus analysis
Typical Filename: jsonMerge.exe
Claimed Product: ITSPlatform
Detection Name: W32.GenericKD:Attribute.22lk.1201