The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: ObliqueRAT spreads via malicious documents

Description: Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we're calling "ObliqueRAT." These maldocs use malicious macros to deliver the second-stage RAT payload. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security. According to Talos researchers, ObliqueRAT has connections to the adversaries behind the CrimsonRAT discovered last year.

Reference: https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html

Snort SIDs: 53152 - 53163

Title: Multiple vulnerabilities in Cisco Data Center Network Manager

Description: Cisco Data Center Network Manager contains a privilege escalation vulnerability and a cross-site request forgery vulnerability. Cisco disclosed the high-severity vulnerabilities late last week. In the case of the privilege escalation vulnerability, an attacker could exploit the Network Manager in a way that would allow them to interact with the API with administrator-level privileges. A successful exploit could allow the attacker to interact with the API with administrative privileges.

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-priv-esc

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-csrf

Snort SIDs: Snort Rule 53171 - 53176

The KidsGuard surveillance app exfiltrated data from targeted devices to an unprotected cloud storage bucket.

https://techcrunch.com/2020/02/20/kidsguard-spyware-app-phones/

A vulnerability in Bluetooth software development kits leaves numerous medical devices and other internet-of-things devices open to attacks.

https://www.wired.com/story/bluetooth-flaws-ble-internet-of-things-pacemakers/

Mexico's economy ministry said it detected a cyber attack on its network over the weekend.

https://in.reuters.com/article/mexico-economy-cyberattack/mexicos-economy-ministry-hit-by-cyber-attack-idINKCN20J0FQ

American and British government agencies teamed up to formally blame Russia for a massive cyber attack on the country of Georgia last year; the attacks targeted web hosting providers, broadcasters, and numerous government, NGO, and business websites.

https://www.cnn.com/2020/02/20/politics/russia-georgia-hacking/index.html

Dell sold its RSA security business, including the popular RSA conference, to a private equity firm for $2 billion.

https://rcpmag.com/articles/2020/02/21/consortium-buys-rsa-from-dell.aspx?m=1

This year's RSA Conference kicked off earlier this week. Here is a roundup of some of the major announcements made thus far.

https://www.csoonline.com/article/3527306/hottest-new-cybersecurity-products-at-rsa-conference-2020.html

French sporting goods chain Decathlon leaked the information of more than 123 million customers and employees on an unsecured Elasticsearch server.

https://www.infosecurity-magazine.com/news/sports-giant-decathlon-leaks-123/

Google released the latest version of its Chrome web browser, starting a rollback of third-party cookies. Chrome 80 also includes a new capability called ScrollToTextFragment, which security researchers worry could be exploited to expose sensitive information.

https://www.adweek.com/digital/new-deep-linking-feature-in-google-chrome-80-sparks-privacy-concerns/

The adversaries behind the DoppelPaymer ransomware launched a new site that they say will be used to publish the information and stolen data of victims who do not pay the requested extortion payment.

https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-1938

Title: Apache Tomcat AJP File Inclusion Vulnerability

Vendor: Apache

Description: Apache Tomcat AJP file inclusion vulnerability allows an attacker to read any webapps files. If the Tomcat instance supports file uploads, the vulnerability could also be leveraged to achieve remote code execution.

CVSS v2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2020-0618

Title: Microsoft SQL Server Reporting Services Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted page request to an affected Reporting Services instance.

CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

ID: CVE-2020-8813

Title: Cacti authenticated Remote Code Execution Vulnerability

Vendor: Cacti

Description: graph_realtime.php in Cacti allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege.

CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2020-8794

Title: OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability

Vendor: OpenBSD

Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

ID: CVE-2018-8611

Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker could then run a specially crafted application to take control of an affected system.

CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2020-3765

Title: Adobe After Effects Out-of-Bounds Write Vulnerability (APSB20-09)

Vendor: Adobe

Description: Adobe After Effects have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution.

CVSS v2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201