Category: Security Vulnerability Alert

@RISK: The Consensus Security Vulnerability Alert
September 19, 2019 – Vol. 19, Num. 38
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 12 – 19, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Some AMD graphics cards open to remote code execution attacks
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Remote code execution vulnerability in some AMD Radeon cards
Description: A line of AMD Radeon cards contains a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-AMD-Radeon-ATI-sept-19.html
Snort SIDs: 49978, 49979 (Written by Tim Muniz)

Title: Atlassian Jira service contains multiple vulnerabilities, including remote JavaScript execution
Description: Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-sept-19.html
Snort SIDs: 50110, 50111 (Written by Amit Raut), 50114 (Written by Josh Williams)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The U.S. Treasury Department announced a new round of sanctions targeting three North Korean state-sponsored threat groups.
https://home.treasury.gov/news/press-releases/sm774

States across the U.S. were critical of a cyber security “report card” that pointed out flaws in their election systems, saying that the company that wrote the reports had flawed methodology and is only after publicity.
https://www.propublica.org/article/report-on-election-security-gains-attention-and-a-sharp-rebuke

Windows’ new “health release dashboard” is designed to make updates easier, but security researchers have already discovered several bugs and design flaws.
https://www.zdnet.com/article/windows-10-has-microsoft-cleaned-up-its-update-mess-spoiler-maybe/

A vulnerability in the soon-to-be-released iOS 13 could allow a malicious user to bypass the phone’s lockscreen and view the owners’ contacts.
https://www.theverge.com/2019/9/13/20863993/ios-13-exploit-lockscreen-bypass-security

The LastPass password manager fixed a bug that could have exposed the credentials a user entered on previous websites they visited.
https://gizmodo.com/you-should-update-lastpass-right-now-1838142059

Attackers are impersonating organizations’ executives as a way of obtaining digital certificates.
https://blog.reversinglabs.com/blog/digital-certificates-impersonated-executives-as-certificate-identity-fronts

The new Wi-Fi 6 certifications rolled out this week, opening devices up to faster internet speeds than ever.
https://www.theverge.com/2019/9/16/20864338/wifi-6-alliance-tech-certification-program-launch

MOST PREVALENT MALWARE FILES September 12 – 19, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 26da22347f1d91f6ca56b7c47644a776b72251d3de11c90d9fd77556d5236f5e
MD5: f6f6039fc64ad97895142dc99554e971
VirusTotal: scan analysis
Typical Filename: CSlast.gif
Claimed Product: N/A
Detection Name: W32.26DA22347F-100.SBX.TG

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: scan analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: scan analysis
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

@RISK: The Consensus Security Vulnerability Alert
September 12, 2019 – Vol. 19, Num. 37
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 5 – 12, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Microsoft releases monthly security updates
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft patches 19 critical bugs as part of security update
Description: Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical,” 65 that are considered “important” and one “moderate.” There is also a critical advisory relating to the latest update to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor. Most notably, this release contains another round of vulnerabilities in remote desktop services, the latest in a line of RDP bugs that are considered “wormable.” Talos has already outlined how Cisco Firepower users can stay protected from other series of RDP vulnerabilities known as “BlueKeep” and “DejaBlue.”
Reference: https://blog.talosintelligence.com/2019/09/microsoft-patch-tuesday-sept-2019.html
Snort SIDs: 51436 – 51438, 51445, 51446, 51449 – 51452, 51454 – 51457, 51463 – 51465, 51479 – 51483

Title: Some NETGEAR routers vulnerable to DoS attacks
Description: The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crashentirely.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-Netgear-N300-routers-DoS-sept-2019.html
Snort SIDs: 50040 (Written by Dave McDaniel)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Apple fired back at a report from Google’s security arm that recently highlighted an exploit in their iOS mobile operating system, saying the company was “stoking fear.”
https://www.theverge.com/2019/9/6/20853115/apple-google-iphone-security-flaw-uighur-community-fud

Some states’ Departments of Motor Vehicles are selling drivers’ personal information to private investigators and other businesses.
https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars

A set of Chromebooks mistakenly warned users that the devices’ end-of-life was approaching, despite Google promising it will provide updates to the laptops for six-and-a-half years.
https://arstechnica.com/gadgets/2019/09/some-chromebooks-mistakenly-declared-themselves-end-of-life-last-week/

A new report exposed a cyber attack on a portion of the U.S. electric grid from earlier this year, the first disruptive cyber attack on the American energy grid ever recorded.
https://www.eenews.net/stories/1061111289

The popular Wikipedia service was intermittently unavailable across Europe after a string of denial-of-service attacks last week.
https://techcrunch.com/2019/09/07/wikipedia-blames-malicious-ddos-attack-after-site-goes-down-across-europe-middle-east/

U.S. Senate Majority Leader Mitch McConnell continues to block a vote on a series of cyber security bills aimed at protecting American elections, and some believe it could be at the direction of the White House.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/09/09/the-cybersecurity-202-here-s-why-mitch-mcconnell-s-blocking-election-security-bills/5d758b86602ff171a5d734b6/

The U.S. filed criminal charges against a professor in Texas for allegedly stealing a startup company’s technology on behalf of Chinese tech company Huawei. (Please note that this story is behind a paywall.)
https://www.wsj.com/articles/u-s-files-criminal-charges-against-chinese-professor-linked-to-huawei-11568048700

MOST PREVALENT MALWARE FILES September 5 – 12, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
MD5: c24315b0585b852110977dacafe6c8c1
VirusTotal: virus analysis
Typical Filename: puls.exe
Claimed Product: N/A
Detection Name: W32.DoublePulsar:WNCryLdrA.22is.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: virus analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256:46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: virus analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: virus analysis
Typical Filename: qmreportupload
Claimed Product: qmreportupload.exe
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: virus analysis
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG

@RISK: The Consensus Security Vulnerability Alert
September 5, 2019 – Vol. 19, Num. 36
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 29 – September 5, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Additional protection for attacks against popular VPN service
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New protection fends off password-stealing attacks from popular VPN service
Description: Last week, attackers began launching password-stealing attacks against the Fortigate and Pulse VPN services. At the time, Cisco Talos released SNORT(R) rules to protect Pulse VPN, and there is now additional protection for Fortigate. Attackers are attempting to steal encryption keys, passwords and other important data from servers utilizing these two VPN services. These bugs can be exploited by sending the unpatched servers a specialized Web request that contains a special sequence of characters.
Reference: https://arstechnica.com/information-technology/2019/08/hackers-are-actively-trying-to-steal-passwords-from-two-widely-used-vpns/
Snort SIDs: 51370 – 51372, 51387 (Written by John Levy)

Title: Multiple vulnerabilities disclosed in Cisco NX-OS software
Description: Cisco disclosed three denial-of-service vulnerabilities in its NX-OS software: CVE-2019-1965, CVE-2019-1964 and CVE-2019-1962. These bugs can cause a variety of conditions, including forced reboots, crashes or disruption of certain processes. All three are considered high-severity vulnerabilities.
Reference:
– https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
– https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
– https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
Snort SIDs: 51365 – 51367 (Written by John Levy)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Google’s Project Zero uncovered several malicious websites that compromised iPhones for years, just by having users visit them.
https://www.cnet.com/news/google-says-iphone-security-flaws-let-websites-hack-them-for-years/

Security researchers believe this discovery could lead to a new wave of attacks on iPhones after the devices were mainly targets of nation-state actors.
https://www.wired.com/story/ios-attack-watering-hole-project-zero/

A new report suggests ransomware attacks may be on the rise because threat actors are encouraged by extortion payments from insurance companies.
https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks

Attackers used the “SIM hacking” technique to take over Twitter CEO Jack Dorsey’s personal account, posting offensive messages and linking to the group’s Discord channel.
https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping

Amazon’s Ring home security service recently released a list of the more than 400 police departments it partners with for a variety of reasons, and a new map can help users see what their cameras’ footage may be used for.
https://lifehacker.com/how-to-see-if-police-are-using-ring-doorbells-to-monito-1837797394

Apple apologized to users for its practice of allowing contracted employees to listen in on Siri recordings. The company now says it will be an opt-in program, with the goal of improving the AI assistant.
https://www.theguardian.com/technology/2019/aug/29/apple-apologises-listen-siri-recordings

Chinese tech company Huawei accused the U.S. of launching cyber attacks against its networks, while also denying allegations that it stole smart camera technology from a Portuguese firm. (Please note this article is behind a paywall.)
https://www.wsj.com/articles/huawei-accuses-the-u-s-of-cyberattacks-threatening-its-employees-11567500484

MOST PREVALENT MALWARE FILES August 29 – September 5, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc
MD5: 7a6f7f930217521e47c7b8d91fb79649
VirusTotal: scan analysis
Typical Filename: DHL Scan File.img
Claimed Product: IMGBURN V2.5.8.0 – THE ULTIMATE IMAGE BURNER!
Detection Name: W32.9A082883AD-100.SBX.TG

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
MD5: c785a8b0be77a216a5223c41d8dd937f
VirusTotal: scan analysis
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: scan analysis
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG