Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: 12 critical vulnerabilities fixed in latest Microsoft Patch Tuesday

Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity. This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Protocol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player.

Reference: https://blog.talosintelligence.com/2020/02/microsoft-patch-tuesday-feb-2020.html

Snort SIDs: 48701, 48702, 53050 - 53056, 53061, 53072, 53073, 53079 - 53089


Title: Adobe release updates for Reader, Flash Player and more

Description: Adobe disclosed 42 new vulnerabilities this week as part of its monthly security update, 35 of which are considered critical. These updates include Acrobat Reader, Flash Player and other Adobe products. Most notable are two bugs in Flash Player and Adobe Framemaker that could allow an attacker to execute arbitrary code on the victim machine.

Reference: https://threatpost.com/adobe-security-update-critical-flash-framemaker-flaws/152782/

Snort SIDs: 52331, 52332

Security News


The U.S. formally charged four members of the Chinese military for stealing millions of Americans' personal information during a hack on credit reporting agency Equifax, one of the largest data breaches in history.

https://apnews.com/05aa58325be0a85d44c637bd891e668f


Chinese officials immediately rebuffed the charges and denied any involvement in the attack.

https://www.cbsnews.com/news/china-denies-responsibility-in-equifax-breach-after-doj-charges-four-military-members/


Government officials and security researchers are still unpacking the failures of an election results-reporting app used during the Iowa caucus. A delay in results is likely the result of many factors, including flaws in the app and understaffing.

https://arstechnica.com/information-technology/2020/02/the-iowa-caucuses-were-a-comedy-of-tech-errors-and-poor-planning/


It also appears members of an online forum may have attempted to disrupt the app, clogging a phone line used to report results in a distributed denial-of-service attack.

https://www.nbcnews.com/tech/security/clog-lines-iowa-caucus-hotline-posted-online-encouragement-disrupt-results-n1131521


A new report from the U.S. Government Accountability Office states America's cyber security agency is not equipped to properly handle the threats posed to the upcoming presidential election.

https://www.cnn.com/2020/02/06/politics/election-security-department-of-homeland-security/index.html


Corp.com, a domain said to have connections to a large numb passwords, email and other proprietary data belonging to major organizations around the globe, is up for sale, as the owner looks to downsize his estate.

https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/


India is close to implementing a new set of cyber security regulations, which could have wide-ranging consequences for future policies in other countries.

https://www.wired.com/story/opinion-indias-data-protection-bill-threatens-global-cybersecurity/


A cyber attack shut down roughly 25 percent of Iran's internet access last week for roughly an hour, though the country touted how quickly it fended off the attack.

https://netblocks.org/reports/internet-shutdown-in-iran-following-reported-cyber-attack-18lJVDBa


Cisco patched five critical vulnerabilities in is Discovery Protocol that could allow attackers to remotely execute code or deny service on thousands of devices.

https://www.scmagazine.com/home/security-news/vulnerabilities/five-high-level-flaws-patched-in-cisco-discovery-protocol/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-0665

Title: Microsoft Active Directory Privilege Escalation Vulnerability

Vendor: Microsoft

Description: The vulnerability exists in Active Directory Forest trust due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. The vulnerability allows a remote user to escalate privileges on the system. A remote user can gain elevated privileges on the target system.

CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)


ID: CVE-2020-0674

Title: Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. An attacker could then install programs; view, change, or delete data or create new accounts with full user rights.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID: CVE-2020-0759

Title: Microsoft Excel Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. A

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID: CVE-2020-8808

Title: CORSAIR iCUE Driver Local Privilege Escalation Vulnerability

Vendor: CORSAIR

Description: The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE allows local non privileged users to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITYSYSTEM privileges, via a function call such as MmMapIoSpace.

CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID: CVE-2019-8449

Title: Atlassian Jira Information Disclosure Vulnerability

Vendor: Atlassian

Description: The /rest/api/latest/groupuserpicker resource in Jira allows remote attackers to enumerate usernames through an information disclosure vulnerability.

CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


ID: CVE-2019-18634

Title: Sudo pwfeedback Buffer Overflow Vulnerability

Vendor: Multi-Vendor

Description: A potential security issue exists in sudo when the pwfeedback option is enabled in sudoers that can lead to a buffer overflow. If pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)


ID: CVE-2019-19470

Title: Tinywall Controller Privilege Escalation Vulnerability

Vendor: Tinywall

Description: In Tinywall, unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITYSYSTEM for a local attacker. An attacker who has already compromised the local system could use TinyWall Controller to gain additional privileges by attaching a debugger to the running process and modifying the code in memory.

CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: 97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7

MD5: be52a2a3074a014b163096055df127a0

VirusTotal: https://www.virustotal.com/gui/file/97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7/details

Typical Filename: xme64-553.exe

Claimed Product: N/A

Detection Name: Win.Trojan.Coinminer::tpd


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201