Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Fake certificate expiration notices used to plant Mokes malware

Description: Attackers are infecting websites and displaying fake notifications that the site's certificate is expired. The URL bar still displays the legitimate URL, but a fake image is displayed in the entire window stating that "Security Certificate is out of date." If the user clicks on a button to download the updated certificate, they are infected with the Buerak downloader and Mokes malware.

Reference: https://www.tripwire.com/state-of-security/security-data-protection/expired-certificates-used-as-disguise-to-spread-buerak-mokes-malware/

Snort SIDs: 54097 - 54106


Title: Variant of ZeuS malware available for sale online

Description: Attackers are selling a new fork of the infamous ZeuS banking trojan. Known as "Silent Night," security researchers discovered the malware that appears to date back to November. Silent Night is for sale currently on a Russian dark web forum. It fetches the core malicious module and injects it into other running processes, showing very similar techniques and code to ZeuS.

Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/the-silent-night-zloader-zbot/

Snort SIDs: 54093, 54094

Security News


Minneapolis's city computer systems and websites were hit with a distributed denial-of-service (DDoS) attack late last week; the majority of systems were operating as usual within a few hours.

https://www.govtech.com/security/Minneapolis-Hit-with-DDoS-Attack-amid-Social-Unrest.html


Hackers claimed that email addresses and passwords posted to the web were stolen from the Minneapolis police department; closer examination of the information suggests that it came from other, unrelated breaches.

https://www.troyhunt.com/analysing-the-alleged-minneapolis-police-department-hack/


A report from the World Economic Forum describes how lessons learned from the COVID-19 pandemic can inform preparations for a global cyberattack.

https://www.weforum.org/agenda/2020/06/covid-19-pandemic-teaches-us-about-cybersecurity-cyberattack-cyber-pandemic-risk-virus/


A bipartisan bill in the US Senate would prohibit any commercial use of data collected by COVID-19 tracing apps and would allow users to request that their data be deleted.

https://www.washingtonpost.com/technology/2020/06/01/contact-tracing-congress-privacy/


As employees start to return to physical offices, some companies are turning to monitoring apps to keep track of whether employees are sick or have been in contact with other sick people.

https://www.buzzfeednews.com/article/carolinehaskins1/coronavirus-private-contact-tracing


Older versions of Android are vulnerable to a security flaw that could allow an attacker to secretly steal private information off mobile devices.

https://www.inc.com/minda-zetlin/security-flaw-means-malware-could-steal-data-from-android-devices.html


A GitHub report details an open-source supply chain attack that affected at least 26 code repositories.

https://www.zdnet.com/article/github-warns-java-developers-of-new-malware-poisoning-netbeans-projects/


The American Civil Liberties Union is suing facial recognition startup Clearview AI for allegedly violating an Illinois privacy law.

https://www.theverge.com/2020/5/28/21273388/aclu-clearview-ai-lawsuit-facial-recognition-database-illinois-biometric-laws


Google patched dozens of vulnerabilities in its Android operating system, including two critical remote code execution vulnerabilities.

https://arstechnica.com/information-technology/2020/06/google-fixes-android-flaws-that-allow-code-execution-with-high-system-rights/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detection

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201