@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 42

@RISK: The Consensus Security Vulnerability Alert
October 17, 2019 – Vol. 19, Num. 42
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 10 – 17, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: WebKit bug affects Safari, Chrome users
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Apple WebKit opens users up to malicious advertising
Description: Multiple vulnerabilities in Apple’s WebKit are allowing attackers to serve users’ malicious advertisements. This campaign affected the Google Chrome and Safari web browsers on iOS and MacOS, but the vulnerabilities were all patched out in Apple’s latest series of security updates. All the ads centered around the user’s specific mobile carrier, hoping to entice them to visit malicious websites. The vulnerabilities would allow the ads to break out of any sandboxes in place.
Reference: https://9to5mac.com/2019/10/02/scam-popup-ads/
Snort SIDs: 51821 – 51824, 51831, 58132 (By John Levy)

Title: Remote code execution bug in vBulletin
Description: A now-patched vulnerability in the popular service vBulletin is allowing attackers to completely take over sites that use the software. vBulletin powers the commenting functions for many popular sites. An attacker could exploit this vulnerability to gain the ability to remotely execute malicious code on any vBulletin server running versions 5.0.0 through 5.5.4. This bug was initially dropped as a zero-day by an anonymous user, but has since been patched by the company. The Snort rules below prevent any attempt to inject code into the server using this bug. Marcos Rodriguez wrote these rules.
Reference: https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/
Snort SIDs: 51834 – 51837 (By Marcos Rodriguez)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Two high-profile Moroccan activists had their mobile phones targeted by the Israeli-connected Pegasus spyware.
https://arstechnica.com/information-technology/2019/10/activists-phones-targeted-by-one-of-the-worlds-most-advanced-espionage-apps/

Google’s new Pixel 4 and Pixel XL will have the ability to transcribe users’ voice recordings in notes mode, even if the device is offline.
https://techcrunch.com/2019/10/15/googles-new-voice-recorder-app-transcribes-in-real-time-even-when-offline/

A new wave of ATM “jackpotting” malware has hit banks across the globe, forcing ATMs to randomly spit out all of the money they contain.
https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world

GitHub continues to receive pushback for its connection to China and U.S. Immigration and Customs Enforcement, even holding a secret meeting with its employees to discuss renewing the company’s contract with ICE.
https://www.theverge.com/2019/10/10/20908713/github-ceo-china-transcript-leak-microsoft

Mozilla says it’s better protecting Firefox from code injection attacks by removing inline scripts in the web browser.
https://www.zdnet.com/article/mozilla-to-firefox-users-heres-how-were-protecting-you-from-code-injection-attacks/

Any escalation of cyber war between the U.S. and Iran could have wide-ranging consequences, with the worst possible scenario being the deployment of Stuxnet.
https://www.cpomagazine.com/cyber-security/cyber-war-between-iran-and-united-states-could-have-far-reaching-implications/

A popular app highly promoted by China’s government may actually be giving them the ability to monitor more than 100 million users’ habits and copy the data from their mobile device.
https://www.bbc.com/news/technology-50042379

A popular underground marketplace for stolen credit card information was hacked, and a text file containing all the information in the store was shared with financial institutions who could alert the owners of the cards.
https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-26m-stolen-cards/

MOST PREVALENT MALWARE FILES October 10 – 17, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysisils
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: scan analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 41

@RISK: The Consensus Security Vulnerability Alert
October 10, 2019 – Vol. 19, Num. 41
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 3 – 10, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday – Oct. 2019: Vulnerability disclosures and Snort coverage
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft discloses 60 vulnerabilities as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered “critical,” with the rest being deemed “important.”
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Reference: https://blog.talosintelligence.com/2019/10/microsoft-patch-tuesday-oct-2019.html
Snort SIDs: 51733 – 51736, 51739 – 51742, 51781 – 51794

Title: Multiple vulnerabilities in Schneider Electric Modicon M580
Description: There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in Schneider Electric’s Modicon line of programmable automation controllers. The majority of the bugs exist in the Modicon’s use of FTP. Schneider Electric Modicon M580, BMEP582040 SV2.80, is affected by these vulnerabilities.
Reference: https://blog.talosintelligence.com/2019/10/vuln-spotlight-schneider-electric-m580-part-2-sept-2019.html
Snort SIDs: 49982, 49983

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Twitter says it used phone numbers and emails linked to two-factor authentication to serve targeted ads.
https://techcrunch.com/2019/10/08/twitter-admits-it-used-two-factor-phone-numbers-and-emails-for-targeted-advertising/

An Iranian hacking group carried out targeted attacks on Microsoft email accounts, including many that belonged to a U.S. presidential candidate.
https://www.geekwire.com/2019/iranian-hacker-group-attacked-hundreds-email-accounts-tied-us-presidential-candidate-microsoft-says/

After this hacking group’s actions were uncovered, they started to go after researchers who are looking into their attacks.
https://www.cyberscoop.com/iran-hacking-clearsky-microsoft-charming-kitten/

A group of cyber security firms are teaming up to promote greater cooperation between the companies’ products, including a shared set of protocols and standards.
https://www.cbronline.com/news/open-cybersecurity-alliance

The U.S. government is increasingly using child exploitation as an argument against encryption, but experts worry it will mislead the American public on encryption’s advantages.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/10/08/the-cybersecurity-202-experts-slam-justice-s-move-to-make-child-exploitation-the-face-of-antiencryption-push/5d9b664e88e0fa747e6d5169/

Cyber security agencies in the U.S. and U.K. warned of state-sponsored attacks against several popular VPN services.
https://www.zdnet.com/article/vpn-users-if-youre-on-fortinet-palo-alto-pulse-secure-patch-now-warns-spy-agency/

Several hospitals across the U.S. and Australia were taken offline in the past week due to ransomware attacks.
https://www.welivesecurity.com/2019/10/03/hospitals-us-australia-ransomware/

Apple released its new Catalina operating system this week, and it comes with several new security features.
https://www.zdnet.com/article/these-are-the-macos-catalina-10-15-security-updates-you-need-to-know-about/

MOST PREVALENT MALWARE FILES October 3 – 10, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: ce8cb7c8dc29b9e4feab463fdf53b569b69e6a5c4ab0e50513b264563d74a6ac
MD5: 0e02555ede71bc6c724f9f924320e020
VirusTotal: scan analysis
Typical Filename: dllhostex.exe
Claimed Product: Microsoft(R) Windows(R) Operating System
Detection Name: W32.CoinMiner:CryptoMinerY.22k3.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 40

@RISK: The Consensus Security Vulnerability Alert
October 3, 2019 – Vol. 19, Num. 40
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 26 – October 3, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: APT targets members of Tibetan government with spyware
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Moonshine attack installs spyware on Android devices
Description: Researchers recently discovered the Moonshine attack being used in the wild. An APT known as “Poison Karp” used Moonshine to load spyware onto mobile devices belonging to members of the Tibetan government. The attack consists of a mixture of eight different vulnerabilities in the Android mobile operating system, but no zero-days. Researchers say the attackers targeted staffers of the Dalai Lama once in 2018, and then again in April and May of this year.
Reference: https://www.scmagazine.com/home/security-news/apts-cyberespionage/poison-carp-cyberespionage-group-targeting-tibetan-officials-with-mobile-malware/
Snort SIDs: 51672 (By Lilia Gonzalez Medina)

Title: Foxit PDF Reader JavaScript Array includes remote code execution vulnerability
Description: Foxit PDF Reader contains a remote code execution vulnerability in its JavaScript engine. Foxit aims to be one of the most feature-rich PDF readers on the market and contains many similar functions to that of Adobe Acrobat Reader. The software uses JavaScript at several different points when opening a PDF. A bug exists in the JavaScript reading function that results in a large amount of memory to be allocated, which quickly uses up all available memory. An attacker could exploit this vulnerability to then gain the ability to remotely execute code.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-foxit-PDF-JavaScript-sept-2019.html
Snort SIDs: 49648, 49649 (By Mike Bautista)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

A security researcher says they’re producing a legitimate-looking iPhone cable that can actually allow the user to completely take over another user’s machine by connecting their phone to the targeted machine.
https://www.vice.com/en_us/article/3kx5nk/fake-apple-lightning-cable-hacks-your-computer-omg-cable-mass-produced-sold

It’s becoming increasingly easier for companies to buy misinformation campaigns designed to discredit their competition.
https://www.recordedfuture.com/disinformation-service-campaigns/

A group of academics in Germany discovered a new attack vector that could allow a malicious user to steal information from encrypted PDFs without any user interaction.
https://www.zdnet.com/article/new-pdfex-attack-can-exfiltrate-data-from-encrypted-pdf-files/

A criminal group was able to exploit two major web browser vulnerabilities over the past six months to display a combined 2 billion malicious ads to users across the internet.
https://www.zdnet.com/article/malvertiser-exploited-two-browser-bugs-to-show-over-one-billion-malicious-ads/

The U.S. Senate passed a bill that would allow the Department of Homeland Security to establish incident response teams to assist local and state governments in the event of a ransomware attack.
https://threatpost.com/senate-passes-bill-aimed-at-combating-ransomware-attacks/148779/

The former CEO of MyPayrollHR was arrested and charged with fraud, weeks after the company quietly shut down and caused $26 million worth of paychecks to be withdrawn from customers’ employees’ accounts.
https://krebsonsecurity.com/2019/09/mypayrollhr-ceo-arrested-admits-to-70m-fraud/

Cisco Talos recently discovered a new malware loader being used to deliver and infect systems with a previously undocumented malware payload called “Divergent.”
https://blog.talosintelligence.com/2019/09/divergent-analysis.html

The National Security Agency formally announced a new Cybersecurity Directorate, which will bring all of its cyber attack prevention efforts under one roof.
https://www.washingtonpost.com/national-security/nsa-launches-new-cyber-defense-directorate/2019/09/30/c18585f6-e219-11e9-be96-6adb81821e90_story.html

Attackers are increasingly using the ODT file type to bypass anti-virus detection.
https://blog.talosintelligence.com/2019/09/odt-malware-twist.html

MOST PREVALENT MALWARE FILES September 26 – October 3, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 39b114b72b19777a5c012b9f11d37f2402ed99e9f7e173826b8b61c933bf34e8
MD5: fbc6bd8bf115cb3f93a520d22b054b90
VirusTotal: scan analysis
Typical Filename: N/A
Claimed Product: N/A
Detection Name: PUA.Win.Trojan.Remoteexec::tpd

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201