@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 36

@RISK: The Consensus Security Vulnerability Alert
September 5, 2019 – Vol. 19, Num. 36
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 29 – September 5, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Additional protection for attacks against popular VPN service
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New protection fends off password-stealing attacks from popular VPN service
Description: Last week, attackers began launching password-stealing attacks against the Fortigate and Pulse VPN services. At the time, Cisco Talos released SNORT(R) rules to protect Pulse VPN, and there is now additional protection for Fortigate. Attackers are attempting to steal encryption keys, passwords and other important data from servers utilizing these two VPN services. These bugs can be exploited by sending the unpatched servers a specialized Web request that contains a special sequence of characters.
Reference: https://arstechnica.com/information-technology/2019/08/hackers-are-actively-trying-to-steal-passwords-from-two-widely-used-vpns/
Snort SIDs: 51370 – 51372, 51387 (Written by John Levy)

Title: Multiple vulnerabilities disclosed in Cisco NX-OS software
Description: Cisco disclosed three denial-of-service vulnerabilities in its NX-OS software: CVE-2019-1965, CVE-2019-1964 and CVE-2019-1962. These bugs can cause a variety of conditions, including forced reboots, crashes or disruption of certain processes. All three are considered high-severity vulnerabilities.
Reference:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
Snort SIDs: 51365 – 51367 (Written by John Levy)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Google’s Project Zero uncovered several malicious websites that compromised iPhones for years, just by having users visit them.
https://www.cnet.com/news/google-says-iphone-security-flaws-let-websites-hack-them-for-years/

Security researchers believe this discovery could lead to a new wave of attacks on iPhones after the devices were mainly targets of nation-state actors.
https://www.wired.com/story/ios-attack-watering-hole-project-zero/

A new report suggests ransomware attacks may be on the rise because threat actors are encouraged by extortion payments from insurance companies.
https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks

Attackers used the “SIM hacking” technique to take over Twitter CEO Jack Dorsey’s personal account, posting offensive messages and linking to the group’s Discord channel.
https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping

Amazon’s Ring home security service recently released a list of the more than 400 police departments it partners with for a variety of reasons, and a new map can help users see what their cameras’ footage may be used for.
https://lifehacker.com/how-to-see-if-police-are-using-ring-doorbells-to-monito-1837797394

Apple apologized to users for its practice of allowing contracted employees to listen in on Siri recordings. The company now says it will be an opt-in program, with the goal of improving the AI assistant.
https://www.theguardian.com/technology/2019/aug/29/apple-apologises-listen-siri-recordings

Chinese tech company Huawei accused the U.S. of launching cyber attacks against its networks, while also denying allegations that it stole smart camera technology from a Portuguese firm. (Please note this article is behind a paywall.)
https://www.wsj.com/articles/huawei-accuses-the-u-s-of-cyberattacks-threatening-its-employees-11567500484

MOST PREVALENT MALWARE FILES August 29 – September 5, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc
MD5: 7a6f7f930217521e47c7b8d91fb79649
VirusTotal: scan analysis
Typical Filename: DHL Scan File.img
Claimed Product: IMGBURN V2.5.8.0 – THE ULTIMATE IMAGE BURNER!
Detection Name: W32.9A082883AD-100.SBX.TG

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
MD5: c785a8b0be77a216a5223c41d8dd937f
VirusTotal: scan analysis
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: scan analysis
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 35

@RISK: The Consensus Security Vulnerability Alert
August 29, 2019 – Vol. 19, Num. 35
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 22 – 29, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Cisco 220 smart switches open to data leak
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Nest Cam IQ camera open to takeover, data disclosure
Description: Two vulnerabilities in Cisco’s 220 series of smart switches for small businesses could allow an attacker to leak sensitive information or inject malicious code. CVE-2019-1912 could allow an attacker to bypass security checks on the switch and upload arbitrary files. And CVE-2019-1913 opens the switches to a buffer overflow attack, which could be used to gain the ability to remotely execute code on the machine with root privileges.
Reference:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-rce
Snort SIDs: 51293 – 51295 (Written by John Levy), 51298 – 51300 (Written by Amit Raut), 51306 – 51307 (Written by Tim Muniz)

Title: Aspose APIs contain bugs that could lead to remote code execution
Description: Attackers are actively exploiting vulnerabilities in the Fortigate and Pulse VPN services to steal encryption keys, passwords and other sensitive data. These campaigns, which started last week, target the Webmin utility for managing Linux and *NIX systems. These are devices in enterprise networks, and the vulnerabilities involved could allow an attacker to take complete control of a system.
Reference: https://www.zdnet.com/article/hackers-mount-attacks-on-webmin-servers-pulse-secure-and-fortinet-vpns/
Snort SIDs: 51240 – 51243 (Written by John Levyu), 51288, 51289 (Written by Joanne Kim)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Apple repatched a vulnerability in iOS that could allow users to jailbreak their devices — a week after a hacker discovered an older patch had been undone.
https://www.cnet.com/news/apple-releases-ios-12-4-1-to-reportedly-fix-iphone-jailbreak/

The U.S. is close to launching a program to focus on protecting the 2020 U.S. presidential election from a ransomware attack.
https://www.cnbc.com/2019/08/26/us-officials-fear-ransomware-attack-against-2020-election.html

An independent security researcher dropped a zero-day vulnerability in Valve’s Steam video game launcher after Valve banned him from the company’s bug bounty program.
https://www.vice.com/en_us/article/wjwd8n/hacker-drops-steam-zero-day-after-being-banned-from-valve-bug-bounty-program

New emails uncovered between Facebook employees show that the social media giant may have known earlier than initially disclosed about Cambridge Analytica’s mishandling of users’ data.
https://techcrunch.com/2019/08/23/facebook-really-doesnt-want-you-to-read-these-emails/

Mobile carriers say an agreement with the U.S. government will start cutting down on robocalls, but researchers are skeptical of how effective the rules will be.
https://arstechnica.com/tech-policy/2019/08/us-phone-carriers-make-empty-unenforceable-promises-to-fight-robocalls/

Spammers have started using Google calendar invites as a new form of social engineering.
https://www.cbsnews.com/news/google-calendar-spam-is-on-the-rise-heres-how-to-stop-the-calendar-invite-spam/

Courthouses in Georgia are still using paper records to keep track of criminal cases and traffic citations months after a ransomware attack.
https://www.ajc.com/news/local/courts-across-georgia-struggling-keep-since-cyberattack/ZpresJoKsiNqPWNiQwoTCO/

A recent round of ransomware attacks on cities in Texas could encourage attackers to carry out similar campaigns in the future.
https://www.cnbc.com/2019/08/22/texas-ransomware-attacks-tell-the-us-cybersecurity-story.html

MOST PREVALENT MALWARE FILES August 22 – 29, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: virus analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: virus analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
MD5: c785a8b0be77a216a5223c41d8dd937f
VirusTotal: virus analysis
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: virus analysis
Typical Filename: invoice.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: virus analysis
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 34

@RISK: The Consensus Security Vulnerability Alert
August 22, 2019 – Vol. 19, Num. 34
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 15 – 22, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Vulnerabilities in Google Nest cameras could allow attacker to leak data
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Nest Cam IQ camera open to takeover, data disclosure
Description: Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs’ most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera.
Reference: https://blog.talosintelligence.com/2019/08/vuln-spotlight-nest-camera-openweave-aug-2019.html
Snort SIDs: 49843 – 49855, 49797, 49798, 49801 – 49804, 49856, 49857, 49813 – 49816, 49912 (Written by Josh Williams)

Title: Aspose APIs contain bugs that could lead to remote code execution
Description: Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.
Reference: https://blog.talosintelligence.com/2019/08/aspose-APIs-RCE-vulns-aug-2019.html
Snort SIDs: 49756, 49757, 49760, 49761, 49852, 49853 (Written by Cisco Talos analysts)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

A new vulnerability in Bluetooth could allow an attacker to intercept keystrokes on mobile devices and potentially steal sensitive information.
https://arstechnica.com/information-technology/2019/08/new-attack-exploiting-serious-bluetooth-weakness-can-intercept-sensitive-data/

Bernie Sanders became the first 2020 presidential candidate to publicly call for an end to the use of facial recognition technology by law enforcement agencies.
https://www.vox.com/recode/2019/8/19/20812594/bernie-sanders-ban-facial-recognition-tech-police

Instagram is expanding its bug bounty program to reward researchers who discover third-party apps that inappropriately disclose user data.
https://www.engadget.com/2019/08/19/facebook-data-abuse-bounty-program-instagram-checkout/

Apple mistakenly unpatched a vulnerability that could allow users to jailbreak the iPhone, and hackers quickly went public with a way to break into a fully up-to-date device.
https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-public-iphone-jailbreak-in-years

Security researchers discovered an unpatchable vulnerability in a line of SoC boards manufactured by American manufacturer Xilinx.
https://www.zdnet.com/article/unpatchable-security-flaw-found-in-popular-soc-boards/

Twenty-three cities in Texas have been hit with a ransomware attack believed to originate from a single threat actor.
https://www.npr.org/2019/08/20/752695554/23-texas-towns-hit-with-ransomware-attack-in-new-front-of-cyberassault

The United States gave Chinese tech company Huawei another 90-day import agreement that will allow the company to use American-made parts as the two sides continue to discuss security concerns.
https://www.reuters.com/article/us-huawei-tech-usa-license-exclusive-idUSKCN1V701U?

MOST PREVALENT MALWARE FILES August 15 – 22, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a
MD5: 125ef5dc3115bda09d2cef1c50869205
VirusTotal: virus analysis
Typical Filename: helpermcp
Claimed Product: N/A
Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos

SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
VirusTotal: virus analysis
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: virus analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: virus analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: virus analysis
Typical Filename: invoice.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG