Category: Security Vulnerability Alert

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked

Posted on

Latest news from Naked Security (2020/01/23)

Looking for silver linings in the CVE-2020-0601 crypto vulnerability

Is there some good news hidden in the story of the CVE-2020-0601 crypto vulnerability?

UN report alleges that Saudi crown prince hacked Jeff Bezos’s phone

Digital forensic evidence points to the phone’s massive, months-long data egress having likely been triggered by Pegasus mobile spyware.

Apple allegedly made nice with FBI by dropping iCloud encryption plan

Sources told Reuters that Apple may have been convinced by arguments made during the legal fight over cracking the San Bernardino iPhone.

Sonos’s tone-deaf legacy product policy angers customers

Stopping software updates for legacy kit is nothing new, but it’s the way the company has done it that has Sonos customers’ hackles up.

FBI issues warning about lucrative fake job scams

What’s the difference between a real job and a fake one found on the internet? The fake ones are suspiciously easy to get interviews for.
Posted on

@RISK: The Consensus Security Vulnerability Alert: Vol. 20, Num. 04

@RISK: The Consensus Security Vulnerability Alert
January 23, 2020 – Vol. 20, Num. 04

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 16 – 23, 2020
=========================================================
TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday includes update to crucial cryptography features
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft cryptography vulnerability lingers after Patch Tuesday
Description: The U.S. National Security Agency released a warning late last week, urging users to update their Microsoft products as soon as possible to fix a vulnerability in its cryptographic certificate-signing function. Attackers could use this bug to sign a program, and make it appear as if it is from a trusted source, without the user ever knowing about the adversary’s actions. A security researcher was even able to create a proof of concept “Rick Rolling” the NSA’s website to display a popular internet meme. The NSA’s statement says that it believes “the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”
Reference: https://securityboulevard.com/2020/01/nsa-microsoft-releases-patch-to-fix-latest-windows-10-vulnerability/
Snort SIDs: 52617 – 52619

Title: Emotet continues to grow, spike in spam to start off 2020
Description: Emotet continues to infect individuals and organizations all over the world, but Cisco Talos recently discovered a new relationship between Emotet and the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government. As a result of this, Talos saw a rapid increase in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.
Reference: https://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html
Snort SIDs: 51967-51971, 52029, additional coverage pending

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

A group of American lawmakers is asking the Federal Trade Commission to look into a financial data company that they say is selling individuals’ personal information to third parties without clearly informing them first.
https://www.vice.com/en_us/article/939bja/lawmakers-say-financial-giant-envestnet-has-been-selling-user-data-without-telling-them

Little-known facial recognition startup Clearview AI has already partnered with law enforcement agencies across the globe to provide them access to more than 3 billion photos, which security experts warn could lead to weaponization.
https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html

Equifax settled a class-action lawsuit over a massive data breach in 2017 for $380.5 million.
https://threatpost.com/equifax-settles-class-action-lawsuit/151873/

The FBI seized the domain for WeLeakInfo, a website purporting to sell thousands of stolen credentials, while international police arrested two men in Europe connected to the site.
https://www.npr.org/2020/01/17/797282149/fbi-seizes-website-suspected-of-selling-access-to-billions-of-pieces-of-stolen-d

Citrix released a patch for a critical vulnerability in its VPN services on Jan. 19, just as security researchers discovered attackers exploiting the bug in the wild.
https://arstechnica.com/information-technology/2020/01/as-attacks-begin-citrix-ships-patch-for-vpn-vulnerability/

A new survey from NPR and PBS found that Americans are most worried about the spread of misinformation during the 2020 presidential election, ranking ahead of foreign interference.
https://www.pbs.org/newshour/politics/social-media-disinformation-leads-election-security-concerns-poll-finds

Identical bills introduced in the House and Senate would require the federal government to appoint cybersecurity leaders of each state in the U.S., with the hopes of increasing information sharing and reducing incident response times.
https://www.infosecurity-magazine.com/news/us-state-cybersecurity-leader-act/

A new variant of the FTCODE ransomware includes the ability to steal users’ passwords to their web browser login and email.
https://www.zscaler.com/blogs/research/ftcode-ransomware–new-version-includes-stealing-capabilities

MOST PREVALENT MALWARE FILES January 16 – 23, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysis
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
VirusTotal: scan analysis
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94
MD5: 7c38a43d2ed9af80932749f6e80fea6f
VirusTotal: scan analysis
Typical Filename: xme64-520.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Posted on

@RISK: The Consensus Security Vulnerability Alert: Vol. 20, Num. 03

@RISK: The Consensus Security Vulnerability Alert
January 16, 2020 – Vol. 20, Num. 03

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 9 – 16, 2020
=========================================================
TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday includes update to crucial cryptography features
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft patches 49 vulnerabilities as part of Patch Tuesday
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month’s security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today.
Reference: https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/
Snort SIDs: 52593 – 51596, 52604, 52605

Title: ZeroCleare wiper malware deployed on oil refinery
Description: ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike.
Reference: https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/
Snort SIDs: 52572 – 52581

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Thousands of medical images, including X-rays and CT scans, are publicly exposed to anyone with an internet connection and the required app. Despite warnings from security researchers, doctors and hospitals have not changed their storage practices.
https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/

Ring says it fired multiple employees for violating the company’s policies and viewing users’ home camera recordings.
https://www.theverge.com/2020/1/8/21057366/ring-fired-four-employees-senator-wyden-amazon

Apple continues to deny requests from the FBI to unlock iPhones connected to criminal investigations, most recently one used by a Saudi Arabian who shot multiple people at a naval base last year.
https://threatpost.com/apple-denies-fbi-request-to-unlock-shooters-iphone-again/151797/

A buggy Facebook update mistakenly exposed the managers of certain groups who were supposed to be kept anonymous.
https://www.wired.com/story/facebook-bug-page-admins-edit-history-doxxing/

The United States Cybersecurity and Infrastructure Security Agency is urging Mozilla Firefox users to update the web browser as soon as possible after attackers were spotted exploiting a remote code execution vulnerability in the wild.
https://www.macrumors.com/2020/01/10/mozilla-firefox-update-vulnerability/

Foreign currency exchange service Travelex is still recovering from a ransomware attack, affecting major banks such as RBS and Barclays.
https://www.bbc.com/news/business-51097470

The Travelex attack prompted the U.S. government to remind users to update their VPN services immediately, as the attackers in the Travelex case exploited a vulnerability first disclosed in April.
https://www.forbes.com/sites/daveywinder/2020/01/13/us-government-critical-security-alert-upgrade-vpn-or-expect-continued-cyber-attacks/#3293b1c46f70

Democratic leaders in Iowa say they will use a mobile app to report primary election results despite concerns raised by security researchers.
https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app

MOST PREVALENT MALWARE FILES January 9 – 16, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
VirusTotal: scan analysis
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

SHA 256: d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81
MD5: 5142c721e7182065b299951a54d4fe80
VirusTotal: scan analysis
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0
MD5: 4a4ee4ce27fa4525be327967b8969e13
VirusTotal: scan analysis
Typical Filename: 4a4ee4ce27fa4525be327967b8969e13.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::tpd

Wildcard SSL