@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 40

@RISK: The Consensus Security Vulnerability Alert
October 3, 2019 – Vol. 19, Num. 40
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 26 – October 3, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: APT targets members of Tibetan government with spyware
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Moonshine attack installs spyware on Android devices
Description: Researchers recently discovered the Moonshine attack being used in the wild. An APT known as “Poison Karp” used Moonshine to load spyware onto mobile devices belonging to members of the Tibetan government. The attack consists of a mixture of eight different vulnerabilities in the Android mobile operating system, but no zero-days. Researchers say the attackers targeted staffers of the Dalai Lama once in 2018, and then again in April and May of this year.
Reference: https://www.scmagazine.com/home/security-news/apts-cyberespionage/poison-carp-cyberespionage-group-targeting-tibetan-officials-with-mobile-malware/
Snort SIDs: 51672 (By Lilia Gonzalez Medina)

Title: Foxit PDF Reader JavaScript Array includes remote code execution vulnerability
Description: Foxit PDF Reader contains a remote code execution vulnerability in its JavaScript engine. Foxit aims to be one of the most feature-rich PDF readers on the market and contains many similar functions to that of Adobe Acrobat Reader. The software uses JavaScript at several different points when opening a PDF. A bug exists in the JavaScript reading function that results in a large amount of memory to be allocated, which quickly uses up all available memory. An attacker could exploit this vulnerability to then gain the ability to remotely execute code.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-foxit-PDF-JavaScript-sept-2019.html
Snort SIDs: 49648, 49649 (By Mike Bautista)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

A security researcher says they’re producing a legitimate-looking iPhone cable that can actually allow the user to completely take over another user’s machine by connecting their phone to the targeted machine.
https://www.vice.com/en_us/article/3kx5nk/fake-apple-lightning-cable-hacks-your-computer-omg-cable-mass-produced-sold

It’s becoming increasingly easier for companies to buy misinformation campaigns designed to discredit their competition.
https://www.recordedfuture.com/disinformation-service-campaigns/

A group of academics in Germany discovered a new attack vector that could allow a malicious user to steal information from encrypted PDFs without any user interaction.
https://www.zdnet.com/article/new-pdfex-attack-can-exfiltrate-data-from-encrypted-pdf-files/

A criminal group was able to exploit two major web browser vulnerabilities over the past six months to display a combined 2 billion malicious ads to users across the internet.
https://www.zdnet.com/article/malvertiser-exploited-two-browser-bugs-to-show-over-one-billion-malicious-ads/

The U.S. Senate passed a bill that would allow the Department of Homeland Security to establish incident response teams to assist local and state governments in the event of a ransomware attack.
https://threatpost.com/senate-passes-bill-aimed-at-combating-ransomware-attacks/148779/

The former CEO of MyPayrollHR was arrested and charged with fraud, weeks after the company quietly shut down and caused $26 million worth of paychecks to be withdrawn from customers’ employees’ accounts.
https://krebsonsecurity.com/2019/09/mypayrollhr-ceo-arrested-admits-to-70m-fraud/

Cisco Talos recently discovered a new malware loader being used to deliver and infect systems with a previously undocumented malware payload called “Divergent.”
https://blog.talosintelligence.com/2019/09/divergent-analysis.html

The National Security Agency formally announced a new Cybersecurity Directorate, which will bring all of its cyber attack prevention efforts under one roof.
https://www.washingtonpost.com/national-security/nsa-launches-new-cyber-defense-directorate/2019/09/30/c18585f6-e219-11e9-be96-6adb81821e90_story.html

Attackers are increasingly using the ODT file type to bypass anti-virus detection.
https://blog.talosintelligence.com/2019/09/odt-malware-twist.html

MOST PREVALENT MALWARE FILES September 26 – October 3, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 39b114b72b19777a5c012b9f11d37f2402ed99e9f7e173826b8b61c933bf34e8
MD5: fbc6bd8bf115cb3f93a520d22b054b90
VirusTotal: scan analysis
Typical Filename: N/A
Claimed Product: N/A
Detection Name: PUA.Win.Trojan.Remoteexec::tpd

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 39

@RISK: The Consensus Security Vulnerability Alert
September 26, 2019 – Vol. 19, Num. 39
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 19 – 26, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Emotet returns after a quiet summer
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New Emotet campaign emerges, but protection stays the same
Description: At the beginning of June 2019, Emotet’s operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer draws to a close, Cisco Talos and other researchers started to see increased activity in Emotet’s C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. The malware still mainly relies on socially engineered spam emails to spread. Once the attackers have swiped a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads.
Reference: https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html
Snort SIDs: 47616, 47617, 48402, 49889, 43890 – 43892, 44559, 44560

Title: Aspose PDF API contains multiple remote code execution vulnerabilites
Description: There are multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-aspose-PDF-API-sept-2019.html
Snort SIDs: 50730, 50731, 50738, 50739

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Apple’s iOS is now widely available on streaming devices, and it comes with a slew of new privacy and security features.
https://www.wired.com/story/ios-13-security-privacy-features-settings/

However, the initial release contains a bug where the iPhone will ignore certain location services features if the user has set an app to “never” track their location.
https://www.forbes.com/sites/kateoflahertyuk/2019/09/23/apple-confirms-ios-13-location-privacy-bug-impacting-millions-of-iphone-users/#3eb5f3a6fac8

The FBI reportedly uses a large number of secret subpoenas to obtain information about private companies, specifically in the tech industry.
https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html

Software firm Chef is cancelling its contract with U.S. ICE after a former employee deleted open-source code in protest.
https://www.vice.com/en_us/article/qvg3q5/chef-not-renewing-ice-immigration-customs-enforcem

Dozens of YouTube content creators had their accounts hijacked over the past week, likely the result of a phishing scam where attackers lured channel owners to a malicious website and stole their login credentials.
https://www.zdnet.com/article/massive-wave-of-account-hijacks-hits-youtube-creators/

Microsoft released an out-of-band patch for Internet Explorer that fixes a critical vulnerability in the web browser that could be used to take over the victim’s entire machine.
https://www.pcworld.com/article/3440556/a-new-internet-explorer-bug-can-take-over-your-entire-pc-so-stop-using-it.html

The U.S. is reportedly looking into several options to carry out a cyber attack on Iran that would hamper its ability to disrupt the Middle East while avoiding kinetic warfare.
https://www.nytimes.com/2019/09/23/world/middleeast/iran-cyberattack-us.html

MOST PREVALENT MALWARE FILES September 19 – 26, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: scan analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

@RISK: The Consensus Security Vulnerability Alert: Vol. 19, Num. 38

@RISK: The Consensus Security Vulnerability Alert
September 19, 2019 – Vol. 19, Num. 38
=========================================================
CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 12 – 19, 2019
=========================================================
TOP VULNERABILITY THIS WEEK: Some AMD graphics cards open to remote code execution attacks
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Remote code execution vulnerability in some AMD Radeon cards
Description: A line of AMD Radeon cards contains a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-AMD-Radeon-ATI-sept-19.html
Snort SIDs: 49978, 49979 (Written by Tim Muniz)

Title: Atlassian Jira service contains multiple vulnerabilities, including remote JavaScript execution
Description: Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-sept-19.html
Snort SIDs: 50110, 50111 (Written by Amit Raut), 50114 (Written by Josh Williams)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The U.S. Treasury Department announced a new round of sanctions targeting three North Korean state-sponsored threat groups.
https://home.treasury.gov/news/press-releases/sm774

States across the U.S. were critical of a cyber security “report card” that pointed out flaws in their election systems, saying that the company that wrote the reports had flawed methodology and is only after publicity.
https://www.propublica.org/article/report-on-election-security-gains-attention-and-a-sharp-rebuke

Windows’ new “health release dashboard” is designed to make updates easier, but security researchers have already discovered several bugs and design flaws.
https://www.zdnet.com/article/windows-10-has-microsoft-cleaned-up-its-update-mess-spoiler-maybe/

A vulnerability in the soon-to-be-released iOS 13 could allow a malicious user to bypass the phone’s lockscreen and view the owners’ contacts.
https://www.theverge.com/2019/9/13/20863993/ios-13-exploit-lockscreen-bypass-security

The LastPass password manager fixed a bug that could have exposed the credentials a user entered on previous websites they visited.
https://gizmodo.com/you-should-update-lastpass-right-now-1838142059

Attackers are impersonating organizations’ executives as a way of obtaining digital certificates.
https://blog.reversinglabs.com/blog/digital-certificates-impersonated-executives-as-certificate-identity-fronts

The new Wi-Fi 6 certifications rolled out this week, opening devices up to faster internet speeds than ever.
https://www.theverge.com/2019/9/16/20864338/wifi-6-alliance-tech-certification-program-launch

MOST PREVALENT MALWARE FILES September 12 – 19, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: scan analysis
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 26da22347f1d91f6ca56b7c47644a776b72251d3de11c90d9fd77556d5236f5e
MD5: f6f6039fc64ad97895142dc99554e971
VirusTotal: scan analysis
Typical Filename: CSlast.gif
Claimed Product: N/A
Detection Name: W32.26DA22347F-100.SBX.TG

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: scan analysis
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: scan analysis
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Wildcard SSL