EMOTET Malware

45f6ca06-eec3-4ffc-9a71-7659da5cd9f7

 

We currently know of only one method of distribution for the Emotet banking Trojan: distribution of spam mailings that include malicious attachments or links.

The attached files are usually ZIP archives containing the Emotet loader. The files in the archives have long names, e.g. rechnung_november_2014_11_0029302375471_03_44_0039938289.exe. This is done on purpose: a user opening the archive in a standard Windows panel might not see the extension .exe, as the end of the file name might not be displayed. Sometimes there is no attachment and the text in the main body of the email contains a link to a malicious executable file or archive.

Source: Secure List

How do you protect yourself?

Always check the source links in emails before clicking them. If you see any suspicious named .zip files in emails that look like they are from an official sender, do not open them.

 

CVE-2018-0771

Threat Meter

 

A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition.

The vulnerability is due to an issue with allocating and freeing memory when processing a malicious XML payload. An attacker could exploit this vulnerability by sending a crafted XML packet to a vulnerable interface on an affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests.

To be vulnerable the ASA must have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface. The risk of the vulnerability being exploited also depends on the accessibility of the interface to the attacker. For a comprehensive list of vulnerable ASA features please refer to the table in the Vulnerable Products section.

Vulnerable Products

This vulnerability affects Cisco ASA Software that is running on the following Cisco products:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 4120 Security Appliance
  • Firepower 4140 Security Appliance
  • Firepower 4150 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)
  • FTD Virtual (FTDv)

Source: Cisco

 

How do you protect yourself?

Customers should upgrade to an appropriate release as indicated in this section.

Cisco ASA Major Release  First Fixed Release 
8.x1 Affected; migrate to 9.1.7.23
9.01 Affected; migrate to 9.1.7.23
9.1 9.1.7.23
9.2 9.2.4.27
9.31 Affected; migrate to 9.4.4.16
9.4 9.4.4.16
9.51 Affected; migrate to 9.6.4.3
9.6 9.6.4.3
9.7 9.7.1.21
9.8 9.8.2.20
9.9 9.9.1.2

1ASA Software releases prior to 9.1, including all 8.x releases, and ASA releases 9.3 and 9.5 have reached End of Software Maintenance. Customers should migrate to a supported release.

The software is available for download from Cisco Software Center by navigating to Products > Security > Firewalls > Adaptive Security Appliances (ASA) > ASA 5500-X Series Firewalls where there is a list of ASA hardware platforms. The majority of these software releases are listed under Interim.

GandCrab Ransomware

Threat Meter

 

Currently being distributed through a malvertising campaign called Seamless that then pushes the visitors to the RIG exploit kit. The exploit kit will then attempt to utilize vulnerabilities in the visitor’s software to install GandCrab without their permission.

A first for ransomware is GandCrab’s use of the DASH currency as a ransom payment. Most file encrypting ransomware families have exclusively used Bitcoin as the ransom payment method. Lately, some ransomware infections have been moving to Monero and even Ethereum.

This is the first time, though, that we have seen any ransomware ask for DASH as the payment. This is most likely due to DASH being built around privacy and thus harder for law enforcement to track the owners of the coins.

Source: Bleeping Computer

How do you protect yourself?

In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. With a good backup, ransomware has no effect on you.