The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: MedusaLocker ransomware continues to remap drives, encrypt victims' files

Description: MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.

Reference: https://blog.talosintelligence.com/2020/04/medusalocker.html

Snort SIDs: 53662 - 53664

Title: Kwampirs malware goes after health care sector

Description: The FBI recently released a warning to health care organizations warning them to be on the lookout for the Kwampirs malware. The RAT infects systems and then opens a backdoor on the victims' network. Adversaries using Kwampirs have already been successful in infecting health care-related networks across the globe, according to the FBI's report. Attackers are attempting to capitalize on the fear, uncertainty and large amount of work that are coming with the COVID-19 pandemic.

Reference: https://www.cpomagazine.com/cyber-security/fbi-warns-of-healthcare-sector-supply-chain-attacks-involving-kwampirs-malware/

Snort SIDs: 53738 - 53741

The U.K. government plans to build its own coronavirus contact-tracing app, forgoing Apple's and Google's jointly created API.

https://www.zdnet.com/article/contact-tracing-apps-why-the-nhs-said-no-to-apple-and-googles-plan/

The World Health Organization says some of its top leadership has been targeted by cyberattacks in recent weeks, continuing a trend it's seen since mid-March.

https://www.bloomberg.com/news/articles/2020-04-21/top-officials-at-world-health-organization-targeted-for-hacks

Adversaries are stepping up the quality of their spear-phishing campaigns, recently targeting U.S.-based energy companies working in the oil industry.

https://arstechnica.com/information-technology/2020/04/hackers-target-oil-producers-as-they-struggle-with-a-record-glut-of-crude/

Nintendo shut down an older form of logins for its users after more than 160,000 accounts were compromised.

https://techcrunch.com/2020/04/24/after-160000-accounts-are-compromised-nintendo-shuts-down-nnid-logins/

Video streaming service Netflix upgraded to TLS 1.3, which it says will make streaming safer and quicker for users.

https://netflixtechblog.com/how-netflix-brings-safer-and-faster-streaming-experience-to-the-living-room-on-crowded-networks-78b8de7f758c

Israeli's cyber defense ministry says it recently warded off multiple cyberattacks on its water control infrastructure.

https://www.scmagazine.com/home/security-news/cyberattack/israeli-cyber-defenders-warn-of-attacks-on-water-supply/

Microsoft patched a vulnerability in its Teams application that could allow an adversary to scrape data from a victim's account by sending them a specific GIF.

https://www.bbc.com/news/technology-52415773

Business leaders are raising concerns over cyberattacks that could slow down or interrupt mergers and acquisitions as economies around the world start to open up again.

https://www.wsj.com/articles/coronavirus-cybersecurity-concerns-could-add-hurdles-to-dealmaking-11587979802

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4

MD5: c6dc7326766f3769575caa3ccab71f63

VirusTotal: https://www.virustotal.com/gui/file/fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A