@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 49

@RISK: The Consensus Security Vulnerability Alert
December 5, 2019 – Vol. 19, Num. 49

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES November 28 – December 5, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: SQL injection vulnerabilities in Forma Learning Management System
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Forma LMS open-source program open to SQL injection attacks
Description: There are three SQL injection vulnerabilities in the authenticated portion of the Forma Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization. An attacker can send a web request with parameters containing SQL injection attacks to trigger these bugs.
Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-sql-injection-dec-19.html
Snort SIDs: 51611 – 51619 (By Marcos Rodriguez)

Title: Accusoft ImageGear PNG IHDR width code execution vulnerability
Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.
Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-accusoft-PNG-dec-19.html
Snort SIDs: 3132, 32889, 50806, 50807, 51530, 51531, 52033, 52034 (By Kristen Houser and Mike Bautista)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

French officials say they are still considering a response to a cyber attack on a public hospital, including a possible “hack back.”
https://www.bloomberg.com/news/articles/2019-11-28/france-not-ruling-out-response-to-cyber-attack-on-hospital

RCS, which is meant to be a replacement for SMS messages, is open to a series of attacks, including text message and call interception, and number spoofing.
https://www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception

A popular website among hackers that sold spying tools was taken down after an international investigation. The British government says the site sold these tools to more than 14,500 people.
https://www.bbc.com/news/technology-50601905

A Canadian court is allowing convicted criminals to challenge their sentences if they were apprehended using a controversial cell phone tracking tool used by police.
https://nationalpost.com/news/canada/alberta-judge-allows-defence-lawyers-to-shine-a-light-on-police-use-of-stingray-technology

Popular spyware company Hacking Team is making a comeback under new ownership, with the aim of ensuring their tools aren’t being abused.
https://www.technologyreview.com/s/614767/the-fall-and-rise-of-a-spyware-empire/

Louisiana is still recovering from a ransomware attack, with delays coming to the state’s Medicaid program and workers scrambling to recover lost data.
https://arstechnica.com/information-technology/2019/11/hackers-paradise-louisianas-ransomware-disaster-far-from-over/

Hackers used credential-stuffing attacks immediately after the launch of the Disney+ streaming service to take over users’ accounts, but Disney still maintains there was not a data breach.
https://www.cpomagazine.com/cyber-security/new-disney-plus-streaming-service-hit-by-credential-stuffing-cyber-attack/

A cyber security activist hopes a new lawsuit will make public a list of electric companies that have failed to meet security standards in the past and have paid fines for their lack of protections.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/12/03/the-cybersecurity-202-activist-wants-court-to-name-and-shame-electric-utilities-for-violating-cybersecurity-rules/5de550bf88e0fa652bbbdb18/

MOST PREVALENT MALWARE FILES November 28 – December 5, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
VirusTotal: virus analysis
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd

SHA 256: a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1
MD5: ef048c07855b3ef98bd991c413bc73b1
VirusTotal: virus analysis
Typical Filename: xme64-501.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Razy::tpd

SHA 256: 49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5
MD5: df432f05996cdd0973b3ceb48992c5ce
VirusTotal: virus analysis
Typical Filename: xme32-501-gcc.exe
Claimed Product: N/A
Detection Name: W32.49B9736191-100.SBX.TG

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: virus analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
VirusTotal: virus analysis
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos