The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Details of new Mozart malware family unveiled

Description: A new malware family known as "Mozart" uses DNS to communicate with a command and control seemingly belonging to its creators. It also evades detection by disguising itself and executing specialized JSScript files. Once infected, Mozart can download other types of malware onto the victim machine, including ransomware and cryptocurrency miners. This malware is typically spread through spam campaigns with malicious PDF attachments. If a victim opens the PDF, it displays a message saying that the PDF reader doesn't support a specific font, and asks the user to download a font, which actually points to a malicious ZIP file.

Reference: https://www.pcrisk.com/removal-guides/17152-mozart-malware

Snort SIDs: 53364 - 53373

Title: Ryuk ransomware strikes across the globe

Description: Several reports surfaced over the past week of the Ryuk ransomware being used in attacks over the course of the past year. Notable recent infections include an attack on a Fortune 500 company that specializes in mechanical and electrical construction, a local library system and police department in Florida and a school district in New Mexico. Ryuk primarily spreads through phishing emails and contains a number of capabilities, including credential theft and the downloading of a cryptocurrency miner.

Reference: https://www.infosecurity-magazine.com/blogs/ryuk-defending-ransomware/

Snort SIDs: 53333, 53334, 53336, 53337

A BuzzFeed News investigation found that the controversial Clearview AI facial recognition company is partnering with more than 2,200 government organizations and private companies across the U.S., including the U.S. Justice Department, Immigration and Customs Enforcement and even the NBA.

https://www.buzzfeednews.com/article/ryanmac/clearview-ai-fbi-ice-global-law-enforcement

An NSA program aimed at scraping metadata from Americans' phone calls only produced two leads over the course of its four years in existence, despite the program costing $100 million to run.

https://www.theatlantic.com/ideas/archive/2020/02/costs-spying/607177/

A new variant of the Cerberus trojan for Android devices can steal user's Google two-factor authentication passcodes to gain access to secured accounts.

https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

A widely used Wi-Fi chip is open to an attack that could allow adversaries to break WPA2 Personal and Enterprise protocols.

https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/

Online prescription provider GoodRx announced it was stopping an information-sharing partnership with Google and Facebook after multiple reports made customers aware of the relationships.

https://nakedsecurity.sophos.com/2020/03/03/goodrx-stops-sharing-personal-medical-data-with-google-facebook/

The U.S.'s so-called "Super Tuesday" in the primary elections was shaping up to be the country's first major test of its cyber security preparedness for this year's election season.

https://www.cnbc.com/2020/03/03/on-super-tuesday-us-voting-technology-will-be-under-intense-scrutiny.html

American officials charged two Chinese nationals with laundering more than $100 million worth of cryptocurrency for a state-sponsored North Korean threat actor.

https://www.washingtonpost.com/local/legal-issues/two-chinese-nationals-indicted-in-cryptocurrency-laundering-scheme-linked-to-north-korea/2020/03/02/b6a286c2-5c8d-11ea-9055-5fa12981bbbf_story.html

The U.S. Federal Communications Commission outlined a plan to fine wireless carriers up to $200 million for selling customers' location data.

https://krebsonsecurity.com/2020/02/fcc-proposes-to-fine-wireless-carriers-200m-for-selling-customer-location-data/

MITRE released the newest version of its Common Weakness Enumeration list, adding new categories for security vulnerabilities that could arise in hardware design.

https://www.helpnetsecurity.com/2020/02/27/hardware-security-weaknesses/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-0688

Title: Microsoft Windows Installer Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1938

Title: Apache Tomcat AJP File Inclusion Vulnerability ("Ghostcat")

Vendor: Apache

Description: Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2019-9465

Title: Google's Titan M chip Information Disclosure Vulnerability

Vendor: Google

Description: In the Titan M handling of cryptographic operations, there is a possible information disclosure due to an unusual root cause. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-133258003.

CVSS v3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

ID: CVE-2020-8794

Title: OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability

Vendor: OpenBSD

Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2019-15126

Title: WPA and WPA2 Disassociation Vulnerability ("Kr00k")

Vendor: Multi-Vendor

Description: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.

CVSS v3 Base Score: 3.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

ID: CVE-2020-6418

Title: Google Chrome Heap Corruption Vulnerability

Vendor: Google

Description: Type confusion in V8 in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser.

CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94

MD5: 7c38a43d2ed9af80932749f6e80fea6f

VirusTotal: https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details

Typical Filename: wup.exe

Claimed Product: N/A

Detection Name: PUA.Win.File.Coinminer::1201

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201