Security Vulnerability Alert Archives - Page 7 of 33

January 23, 2020March 6, 2020

@RISK: The Consensus Security Vulnerability Alert: Vol. 20, Num. 04

@RISK: The Consensus Security Vulnerability Alert
January 23, 2020 – Vol. 20, Num. 04

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 16 – 23, 2020
=========================================================
TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday includes update to crucial cryptography features
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft cryptography vulnerability lingers after Patch Tuesday
Description: The U.S. National Security Agency released a warning late last week, urging users to update their Microsoft products as soon as possible to fix a vulnerability in its cryptographic certificate-signing function. Attackers could use this bug to sign a program, and make it appear as if it is from a trusted source, without the user ever knowing about the adversary’s actions. A security researcher was even able to create a proof of concept “Rick Rolling” the NSA’s website to display a popular internet meme. The NSA’s statement says that it believes “the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”
Reference: https://securityboulevard.com/2020/01/nsa-microsoft-releases-patch-to-fix-latest-windows-10-vulnerability/
Snort SIDs: 52617 – 52619

Title: Emotet continues to grow, spike in spam to start off 2020
Description: Emotet continues to infect individuals and organizations all over the world, but Cisco Talos recently discovered a new relationship between Emotet and the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government. As a result of this, Talos saw a rapid increase in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.
Reference: https://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html
Snort SIDs: 51967-51971, 52029, additional coverage pending

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

A group of American lawmakers is asking the Federal Trade Commission to look into a financial data company that they say is selling individuals’ personal information to third parties without clearly informing them first.
https://www.vice.com/en_us/article/939bja/lawmakers-say-financial-giant-envestnet-has-been-selling-user-data-without-telling-them

Little-known facial recognition startup Clearview AI has already partnered with law enforcement agencies across the globe to provide them access to more than 3 billion photos, which security experts warn could lead to weaponization.
https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html

Equifax settled a class-action lawsuit over a massive data breach in 2017 for $380.5 million.
https://threatpost.com/equifax-settles-class-action-lawsuit/151873/

The FBI seized the domain for WeLeakInfo, a website purporting to sell thousands of stolen credentials, while international police arrested two men in Europe connected to the site.
https://www.npr.org/2020/01/17/797282149/fbi-seizes-website-suspected-of-selling-access-to-billions-of-pieces-of-stolen-d

Citrix released a patch for a critical vulnerability in its VPN services on Jan. 19, just as security researchers discovered attackers exploiting the bug in the wild.
https://arstechnica.com/information-technology/2020/01/as-attacks-begin-citrix-ships-patch-for-vpn-vulnerability/

A new survey from NPR and PBS found that Americans are most worried about the spread of misinformation during the 2020 presidential election, ranking ahead of foreign interference.
https://www.pbs.org/newshour/politics/social-media-disinformation-leads-election-security-concerns-poll-finds

Identical bills introduced in the House and Senate would require the federal government to appoint cybersecurity leaders of each state in the U.S., with the hopes of increasing information sharing and reducing incident response times.
https://www.infosecurity-magazine.com/news/us-state-cybersecurity-leader-act/

A new variant of the FTCODE ransomware includes the ability to steal users’ passwords to their web browser login and email.
https://www.zscaler.com/blogs/research/ftcode-ransomware–new-version-includes-stealing-capabilities

MOST PREVALENT MALWARE FILES January 16 – 23, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysis
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
VirusTotal: scan analysis
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94
MD5: 7c38a43d2ed9af80932749f6e80fea6f
VirusTotal: scan analysis
Typical Filename: xme64-520.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

January 16, 2020March 6, 2020

@RISK: The Consensus Security Vulnerability Alert: Vol. 20, Num. 03

@RISK: The Consensus Security Vulnerability Alert
January 16, 2020 – Vol. 20, Num. 03

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 9 – 16, 2020
=========================================================
TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday includes update to crucial cryptography features
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft patches 49 vulnerabilities as part of Patch Tuesday
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month’s security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today.
Reference: https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/
Snort SIDs: 52593 – 51596, 52604, 52605

Title: ZeroCleare wiper malware deployed on oil refinery
Description: ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike.
Reference: https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/
Snort SIDs: 52572 – 52581

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Thousands of medical images, including X-rays and CT scans, are publicly exposed to anyone with an internet connection and the required app. Despite warnings from security researchers, doctors and hospitals have not changed their storage practices.
https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/

Ring says it fired multiple employees for violating the company’s policies and viewing users’ home camera recordings.
https://www.theverge.com/2020/1/8/21057366/ring-fired-four-employees-senator-wyden-amazon

Apple continues to deny requests from the FBI to unlock iPhones connected to criminal investigations, most recently one used by a Saudi Arabian who shot multiple people at a naval base last year.
https://threatpost.com/apple-denies-fbi-request-to-unlock-shooters-iphone-again/151797/

A buggy Facebook update mistakenly exposed the managers of certain groups who were supposed to be kept anonymous.
https://www.wired.com/story/facebook-bug-page-admins-edit-history-doxxing/

The United States Cybersecurity and Infrastructure Security Agency is urging Mozilla Firefox users to update the web browser as soon as possible after attackers were spotted exploiting a remote code execution vulnerability in the wild.
https://www.macrumors.com/2020/01/10/mozilla-firefox-update-vulnerability/

Foreign currency exchange service Travelex is still recovering from a ransomware attack, affecting major banks such as RBS and Barclays.
https://www.bbc.com/news/business-51097470

The Travelex attack prompted the U.S. government to remind users to update their VPN services immediately, as the attackers in the Travelex case exploited a vulnerability first disclosed in April.
https://www.forbes.com/sites/daveywinder/2020/01/13/us-government-critical-security-alert-upgrade-vpn-or-expect-continued-cyber-attacks/#3293b1c46f70

Democratic leaders in Iowa say they will use a mobile app to report primary election results despite concerns raised by security researchers.
https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app

MOST PREVALENT MALWARE FILES January 9 – 16, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81
MD5: 5142c721e7182065b299951a54d4fe80
VirusTotal: scan analysis
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0
MD5: 4a4ee4ce27fa4525be327967b8969e13
VirusTotal: scan analysis
Typical Filename: 4a4ee4ce27fa4525be327967b8969e13.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::tpd

January 9, 2020March 6, 2020

@RISK: The Consensus Security Vulnerability Alert: Vol. 20, Num. 02

@RISK: The Consensus Security Vulnerability Alert
January 9, 2020 – Vol. 20, Num. 02

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 2 – 9, 2020
=========================================================
TOP VULNERABILITY THIS WEEK: Cisco Data Center Network Manager patches SQL injection, code execution vulnerabilities
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Cisco patches dozen vulnerabilities in Data Center Network Manager
Description: Cisco released multiple security advisories last week announcing patches for 12 vulnerabilities in the Data Center Network Manager software. The software allows users to manage their Cisco switches and fabric extenders. Three of the vulnerabilities disclosed (CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977) could allow an unauthenticated, remote attacker to bypass authentication and carry out a variety of malicious tasks with administrative privileges on an affected device.
Reference: https://www.helpnetsecurity.com/2020/01/06/cisco-data-center-network-manager-flaws-fixed/
Snort SIDs: 52530 – 52547

Title: Buffer overflow vulnerabilities in OpenCV
Description: Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org. OpenCV is used for numerous applications, including facial recognition technology, robotics, motion tracking and various machine learning programs.
Reference: https://blog.talosintelligence.com/2020/01/opencv-buffer-overflow-jan-2020.html
Snort SIDs: 50774, 50775 (By Dave McDaniel)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Companies, organizations and government agencies in the U.S. are anxiously bracing for a retaliatory cyber attack from Iran after an American drone attack on a top Iranian general.
https://www.newyorker.com/tech/annals-of-technology/should-the-us-expect-an-iranian-cyberattack

The U.S. Department of Homeland Security even went so far as to release a warning telling companies to “consider and assess” the possible damage a state-sponsored attack from Iran could have on their operations.
https://techcrunch.com/2020/01/06/homeland-security-iran-cyberattacks/

Homeland Security is expected to push for legislation in 2020 that would allow them to subpoena internet companies to protect infrastructure from cyber attacks.
https://news.bloomberglaw.com/tech-and-telecom-law/cybersecurity-infrastructure-top-homeland-security-hill-agenda

Currency exchange marketplace Travelex’s website was still down as of Tuesday morning after an attack on New Year’s Eve. The company referred to the attack as a “software virus.”
https://www.infosecurity-magazine.com/news/travelex-site-down-new-years-eve/

England is looking into whether malware caused an outage at the London stock exchange in August, though the trading outage was initially blamed on a software glitch. (Please note that this story is behind a paywall.)
https://www.wsj.com/articles/u-k-examines-if-cyberattack-triggered-london-stock-exchange-outage-11578232800

Wyze smart camera users are urged to reset their passwords and reconnect third-party apps after researchers discovered an exposed database containing users’ personal information.
https://www.cnet.com/how-to/wyze-camera-data-leak-how-to-secure-your-account-right-now/

A Japanese intelligence agency released a warning that it is expecting state-sponsored cyber attacks on the 2020 Olympic Games slated to take place later this year after it discovered a series of targeted phishing emails.
https://www.cpomagazine.com/cyber-security/state-backed-cyber-attacks-expected-at-tokyo-2020-games/

Attackers are still exploiting a vulnerability in the Pulse Secure VPN service to deliver malware that deletes the victim’s backup files and disables endpoint security controls.
https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9

MOST PREVALENT MALWARE FILES January 2 – 9, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 5fc600351bade74c2791fc526bca6bb606355cc65e5253f7f791254db58ee7fa
MD5: 121e1634bf18768802427f0a13f039a9
VirusTotal: scan analysis
Typical Filename: AA_v3.exe
Claimed Product: Ammyy Admin
Detection Name: W32.SPR:Variant.22fn.1201

SHA 256: d8b594956ed54836817e38b365dafdc69aa7e07776f83dd0f706278def8ad2d1
MD5: 56f11ce9119632ba360e5b3dd0a89acd
VirusTotal: scan analysis
Typical Filename: xme64-540.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Coinminer::100.sbx.tg