CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 29 - September 5, 2019
TOP VULNERABILITY THIS WEEK: Additional protection for attacks against popular VPN service

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New protection fends off password-stealing attacks from popular VPN service
Description: Last week, attackers began launching password-stealing attacks against the Fortigate and Pulse VPN services. At the time, Cisco Talos released SNORT(R) rules to protect Pulse VPN, and there is now additional protection for Fortigate. Attackers are attempting to steal encryption keys, passwords and other important data from servers utilizing these two VPN services. These bugs can be exploited by sending the unpatched servers a specialized Web request that contains a special sequence of characters.
Reference: https://arstechnica.com/information-technology/2019/08/hackers-are-actively-trying-to-steal-passwords-from-two-widely-used-vpns/
Snort SIDs: 51370 - 51372, 51387 (Written by John Levy)

Title: Multiple vulnerabilities disclosed in Cisco NX-OS software
Description: Cisco disclosed three denial-of-service vulnerabilities in its NX-OS software: CVE-2019-1965, CVE-2019-1964 and CVE-2019-1962. These bugs can cause a variety of conditions, including forced reboots, crashes or disruption of certain processes. All three are considered high-severity vulnerabilities.
Reference:

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos

Snort SIDs: 51365 - 51367 (Written by John Levy)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Google’s Project Zero uncovered several malicious websites that compromised iPhones for years, just by having users visit them.
https://www.cnet.com/news/google-says-iphone-security-flaws-let-websites-hack-them-for-years/

Security researchers believe this discovery could lead to a new wave of attacks on iPhones after the devices were mainly targets of nation-state actors.
https://www.wired.com/story/ios-attack-watering-hole-project-zero/

A new report suggests ransomware attacks may be on the rise because threat actors are encouraged by extortion payments from insurance companies.
https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks

Attackers used the “SIM hacking” technique to take over Twitter CEO Jack Dorsey’s personal account, posting offensive messages and linking to the group’s Discord channel.
https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping

Amazon’s Ring home security service recently released a list of the more than 400 police departments it partners with for a variety of reasons, and a new map can help users see what their cameras’ footage may be used for.
https://lifehacker.com/how-to-see-if-police-are-using-ring-doorbells-to-monito-1837797394

Apple apologized to users for its practice of allowing contracted employees to listen in on Siri recordings. The company now says it will be an opt-in program, with the goal of improving the AI assistant.
https://www.theguardian.com/technology/2019/aug/29/apple-apologises-listen-siri-recordings

Chinese tech company Huawei accused the U.S. of launching cyber attacks against its networks, while also denying allegations that it stole smart camera technology from a Portuguese firm. (Please note this article is behind a paywall.)
https://www.wsj.com/articles/huawei-accuses-the-u-s-of-cyberattacks-threatening-its-employees-11567500484

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2019-12643
Title: Cisco IOS XE REST API Container Software Authentication Bypass Vulnerability
Vendor: Cisco
Description: This vulnerability resides in the Cisco REST API virtual service container, however, it affects devices running Cisco IOS XE Software when exploited. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The security issue is tracked as CVE-2019-12643 and has received a maximum severity rating score of 10 based on CVSS v3 Scoring system.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2019-1663
Title: Cisco Routers Remote Command Execution Vulnerability
Vendor: Cisco
Description: A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. A remote attacker can exploit this issue to execute arbitrary commands on the host operating system with escalated privileges.
CVSS v2 Base Score: | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2019-1622
Title: Cisco Data Center Network Manager Information Disclosure Vulnerability
Vendor: Cisco
Description: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.
CVSS v2 Base Score: | 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

ID: CVE-2019-1935
Title: Cisco UCS Director Unauthenticated Remote Access Vulnerability
Vendor: Cisco
Description: A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Due to several coding errors, it is possible for an unauthenticated remote attacker with no privileges to bypass authentication and abuse a password change function to inject arbitrary commands and execute code
as root. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account.
CVSS v2 Base Score: | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2019-15637
Title: Tableau XML External Entity Injection Vulnerability
Vendor: Tableau
Description: Numerous Tableau products are vulnerable to XXE (XML External Entity) vulnerability beacuse of a malicious workbook, extension, or data source, leading to information disclosure or a denial of service vulnerability. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.
CVSS v2 Base Score: | 5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P)

ID: CVE-2019-10149
Title: Exim Remote Command Execution Vulnerability
Vendor: Exim
Description: Exim is affected by remote command execution vulnerability. The vulnerability is exploitable instantly by a local attacker, remotely exploit this vulnerability in the default configuration. An attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes), faster methods may exist. Successful exploitation will lead to remote command execution.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

MOST PREVALENT MALWARE FILES August 29 - September 5, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc
MD5: 7a6f7f930217521e47c7b8d91fb79649
VirusTotal: https://www.virustotal.com/gui/file/9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc/details
Typical Filename: DHL Scan File.img
Claimed Product: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!
Detection Name: W32.9A082883AD-100.SBX.TG

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
MD5: c785a8b0be77a216a5223c41d8dd937f
VirusTotal: https://www.virustotal.com/gui/file/1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c/details
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG