Category: Security Vulnerability Alert

@RISK: The Consensus Security Vulnerability Alert
March 14, 2019 – Vol. 19, Num. 11
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 7 – 14, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Microsoft discloses 64 vulnerabilities as part of Patch Tuesday
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Patch Tuesday includes 17 critical Microsoft vulnerabilities
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2.
Reference: https://blog.talosintelligence.com/2019/03/microsoft-patch-tuesday-march-2019.html
Snort SIDs: 45142, 45143, 46554, 46555, 48051, 48052, 49172, 49173, 49364 – 49369, 49371, 49372, 49378 – 49395, 49400 – 49403

Title: Multiple vulnerabilities in Pixar Renderman
Description: The MacOS version of Pixar Renderman contains three local vulnerabilities in its install helper tool. An attacker could exploit these bugs to escalate their privileges to root. Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.
Reference: https://blog.talosintelligence.com/2019/03/vuln-spotlight-pixar-renderman-local-2019.html
Snort SIDs: 48450 – 48453, 49088, 49089

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Iranian hackers stole an estimated six terabytes of data off of Citrix networks, including e-mails and files stored on sharing services.
https://www.forbes.com/sites/kateoflahertyuk/2019/03/10/citrix-data-breach-heres-what-to-do-next/#49654a741476

Several popular car alarm systems can be bypassed and turned off remotely by attackers, according to new research.
https://www.bbc.com/news/technology-47485731

Google Chrome pushed users to upgrade to Windows 10 after the web browser disclosed a zero-day bug in Windows 7 and Chrome that could allow attackers to push malicious code to users.
https://www.theverge.com/2019/3/8/18256335/google-chrome-windows-against-zero-day-vulnerabilities-update

A new report from the U.S.’s Office of the Inspector General warns that NASA has serious cybersecurity holes that could open the space agency to an attack from a nation-state actor.
https://www.infosecurity-magazine.com/news/nasas-poor-cybersecurity-1-1-1/

Adobe patched critical vulnerabilities in Photoshop and Digital Editions as part of its monthly security update.
https://www.bleepingcomputer.com/news/security/adobe-releases-march-2019-security-fixes-for-photoshop-cc-and-digital-editions/

Social media hackers have stepped up their efforts over the past few months to reinforce pro-Brexit sentiment as the British government works on a deal to leave the European Union.
https://www.securityweek.com/pro-brexit-twitter-manipulation-continues

MOST PREVALENT MALWARE FILES March 7 – 14, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
MD5: 38de5b216c33833af710e88f7f64fc98
VirusTotal: scan analysis
Typical Filename: SECOH-QAD.exe
Claimed Product: N/A
Detection Name: W32.Hacktool.22ei.1201

SHA 256: 225bb8a1bdcd0132a3624fde62f109a4d59056bc7418a7838b6ac0997127259b
MD5: f953dd9537961aa72648f39379b7ff51
VirusTotal: scan analysis
Typical Filename: SOA.doc
Claimed Product: N/A
Detection Name: W32.225BB8A1BD-95.SBX.TG

SHA 256: 6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671
MD5: b23f736c46d9fa238b02c9eb0cea37cf
VirusTotal: scan analysis
Typical Filename: CONFIGURETGN.EXE
Claimed Product: N/A
Detection Name: Win.Malware.Generic::in03.talos

SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
MD5: 1a5a7532854ab45ac74b1c657fe47941
VirusTotal: scan analysis
Typical Filename: helperamc.zip
Claimed Product: Advanced Mac Cleaner
Detection Name: W32.18042540B3-95.SBX.TG

SHA 256: 60c5f5f3b78b151fe6a01d4957ad536496b646e9d8288703d10fb8a03afb3b64
MD5: efcaf7a94501ad0c9a37f459a91e493f
VirusTotal: scan analysis
Typical Filename: 1SOAJAN19_exe.bin
Claimed Product: MONARCHOMACHIC9
Detection Name: W32.60C5F5F3B7-100.SBX.T

@RISK: The Consensus Security Vulnerability Alert
March 07, 2019 – Vol. 19, Num. 10
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 1 – 7, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Attacks pick up on vulnerable Cisco SOHO routers
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Cisco patches critical vulnerabilities in RV series of routers
Description: Attackers are carrying out attacks on Cisco small and home office routers after the company patched a critical bug in its RV line of routers. The vulnerability bypasses authentication procedures, allowing attackers to go after routers remotely over the internet. Affected models include the Cisco RV110, RV130 and RV215.
Reference: https://www.zdnet.com/article/hackers-have-started-attacks-on-cisco-rv110-rv130-and-rv215-routers/
Snort SIDs: 49296

Title: 19-year-old WinRAR vulnerability finally patched
Description: A micropatch released last week fixes a 19-year-old vulnerability in WinRAR that could allow an attacker to obtain remote code execution privileges. The bug, CVE-2018-20250, could allow an attacker to completely take over a target machine by tricking a user into opening a specially crafted, malicious archive. The latest WinRAR update completely removes support for ACE archives to protect users from this vulnerability.
Reference: https://www.bleepingcomputer.com/news/security/19-year-old-winrar-rce-vulnerability-gets-micropatch-which-keeps-ace-support/
Snort SIDs: 49289 – 49292

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Dow Jones’ list of 2.4 million people who are considered “high-risk” leaked after a company left the list on a database without a password.
https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/

New reporting pulled the curtain back on Facebook’s massive effort to sway privacy policies across the world by influencing politicians.
https://www.theguardian.com/technology/2019/mar/02/facebook-global-lobbying-campaign-against-data-privacy-laws-investment

Thailand passed a new law that many are considering “martial law” on the internet and could allow the country’s military to make its own cyber laws in urgent cases.
https://www.reuters.com/article/us-thailand-cyber/thailand-passes-internet-security-law-decried-as-cyber-martial-law-idUSKCN1QH1OB

The popular cryptocurrency miner Coinhive is shutting down — but not over security concerns.
https://www.theverge.com/2019/2/28/18244636/coinhive-cryptojacking-cryptocurrency-mining-shut-down-monero-date

The Chinese hacking group APT40 reportedly carried out multiple cyber attacks on different countries in an effort to bolster their Navy.
https://www.infosecurity-magazine.com/news/chinas-apt40-group-stole-navy-1-1/

U.S. Cyber Command carried out an offensive cyber attack against a well-known Russian troll farm on the day of the 2018 midterm elections in the U.S.
https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html

MOST PREVALENT MALWARE FILES March 1 – 7, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: dfe2fcb006df972edf4f8e721bab26cfec809768a0bfbccf5fc661b6ea85dba9
MD5: b860cf8c4cb5dc676ef4893a704c9f8d
VirusTotal: scan report
Typical Filename: MyMapDirections-14900991.exe
Claimed Product: IEInstaller
Detection Name: W32.Auto:dfe2fc.in03.Talos

SHA 256: 3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56
MD5: b6ca0e72b072f40f5544b9fd054d6ed1
VirusTotal: scan report
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: Auto.3573BF7429.Sbmt.tht.Talos

SHA 256: d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0
MD5: d8461f2978de84045e7ad6bea7a60418
VirusTotal: scan report
Typical Filename: Window.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
MD5: 147ba798e448eb3caa7e477e7fb3a959
VirusTotal: scan report
Typical Filename: ups.exe
Claimed Product: TODO: <产品名>
Detection Name: W32.Variant:Malwaregen.22d1.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan report
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201