@RISK Newsletter for December 26, 2019
The consensus security vulnerability alert.
Vol. 19, Num. 52
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
MOST PREVALENT MALWARE FILES December 19 - 26, 2019
TOP VULNERABILITY THIS WEEK: Attackers utilize Cisco ASA bug to carry out DoS attacks
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Old vulnerability in Cisco Adaptive Security Appliances exploited in DoS attacks
Description: Attackers are exploiting a patched vulnerability in Cisco ASA to carry out denial-of-service attacks and steal critical information. The vulnerability, CVE-2018-0296, is directory traversal bug found in the web framework of Adaptive Security Appliance and Firepower Appliance. The attacker can use a specially crafted URL to cause the ASA appliance to reboot or disclose unauthenticated information. This vulnerability was first discovered and patched in June 2018, but vulnerable devices are still being targeted.
Reference: https://www.bleepingcomputer.com/news/security/cisco-security-appliances-targeted-for-dos-attacks-via-old-bug/
Snort SIDs: 46897
Title: Multiple vulnerabilities in some WAGO devices
Description: The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGO’s programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration service used by the controllers. The vulnerabilities discussed here could allow an attacker to remotely execute code, deny service to the device or weaken device login credentials.
Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-multiple.html
Snort SIDs: 50786 - 50789, 50790 - 50793, 50797
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Reporters and researchers at the New York Times were able to use leaked location data to track cell phone users across the U.S., even President Donald Trump, the sign of a major national security risk.
https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html
The login credentials for more than 3,000 Ring camera users were leaked last week, the latest blow to the Amazon-owned security company.
https://www.buzzfeednews.com/article/carolinehaskins1/data-leak-exposes-personal-data-over-3000-ring-camera-users
Gas station chain Wawa says it was the victim of a credit card-stealing attack since March, potentially affecting every customer at each of its locations. The company is offering victims free fraud protection for a year.
https://slate.com/technology/2019/12/how-bad-is-the-wawa-data-breach.html
A U.S. government-sponsored study found there is a high rate of error in facial recognition technology, especially among non-whites, often assigning individuals the wrong genger or identifying them as the incorrect race.
https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html
An airline in Alaska had to cancel several flights after what the company called a “malicious cyber attack.”
https://www.usatoday.com/story/travel/news/2019/12/22/alaska-airline-cancels-flights-after-malicious-cyber-attack/2727709001/
U.S. military members are now banned from using the popular social media app TikTok on government-issued devices, citing security concerns based on the app developer’s potential connections to China.
https://www.pcmag.com/news/372673/us-navy-bans-tiktok-citing-cybersecurity-threat
Content management system Drupal released a series of security updates, fixing a critical vulnerability that could allow an attacker to directly upload some malicious files to a website.
https://thehackernews.com/2019/12/drupal-website-hacking.html
An exposed Elasticsearch database exposed the personal information of more than 26,000 Honda car owners, including names, addresses, VINs and email addresses.https://www.scmagazine.com/home/security-news/database-security/open-database-exposes-26000-honda-motors-customers/
MOST PREVALENT MALWARE FILES December 19 - 26, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
VirusTotal: https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: b32093d726609c88a06f71b8fe74e9e5a04c2dfe81fc39743bdd970bf4dea017
MD5: baadce7c152b24bd48cc1f2f4a0b088d
VirusTotal: https://www.virustotal.com/gui/file/b32093d726609c88a06f71b8fe74e9e5a04c2dfe81fc39743bdd970bf4dea017/details
Typical Filename: xme64-530.exe
Claimed Product: N/A
Detection Name: W32.B32093D726-100.SBX.TG