SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Xanthe miner goes after Docker-based targets
Description: Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Xanthe," which attempted to compromise one of Cisco's security honeypots for tracking Docker-related threats. The infection starts with the downloader module, which downloads the main installer module, which is also tasked with spreading to other systems on the local and remote networks. The main module attempts to spread to other known hosts by stealing the client-side certificates and connecting to them without the requirement for a password. Two additional bash scripts terminate security services, removing competitor's botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts. The main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.
ClamAV: Unix.Coinminer.Xanthe-9791859-0, Unix.Coinminer.Xanthe-9791860-0, Unix.Coinminer.Xanthe-9791861-0
Title: WebKit fixes use-after-free, code execution vulnerabilities
Description: The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit. WebKit is utilized mainly in Apple's Safari web browser, but is also utilized by some PlayStation consoles and all iOS web browsers.
Snort SIDs: 55844, 55845, 56126, 56127, 56379 - 56382