The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Parallax malware-for-sale increasingly spread through spam

Description: The Parallax remote access trojan has been increasingly seen in spam emails as it becomes publicly available on hacker forums. The malware-as-a-service costs roughly $65 a month. Attackers attempt to use the RAT to gain access to a victim's machine, and then steal their login credentials and files and execute code. Users are recommended to be vigilant for phony emails that may contain malicious links pointing to a Parallax download.

Reference: https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/

Snort SIDs: 53437 - 53440

Title: Zoho ManageEngine contains remote code execution vulnerability, being exploited in the wild

Description: Attackers are exploiting a remote code execution vulnerability in Zoho ManageEngine in the wild. The bug, identified as CVE-2020-10189, could allow an attacker to deserialize data and then execute arbitrary code on the victim machine with SYSTEM or root privileges. One security researcher discovered 2,300 unprotected instances utilizing ManageEngine.

Reference: https://www.helpnetsecurity.com/2020/03/10/cve-2020-10189/

Snort SIDs: 53433 - 53435

The COVID-19 pandemic has attackers looking to capitalize on current events, specifically spreading a popular map app that claims to show where there are new virus cases.

https://arstechnica.com/information-technology/2020/03/the-internet-is-drowning-in-covid-19-related-malware-and-phishing-scams/

More workers across the globe are also staying home to as part of "social distancing," which leaves large organizations open to cyber attacks. Here are some tips for staying safe online while working remotely.

https://www.zdnet.com/article/working-from-home-cybersecurity-tips-for-remote-workers/

The US Department of Health and Human Services suffered a cyber attack earlier this week as the government scrambled to respond to COVID-19.

https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response

Microsoft released an out-of-band security update for a vulnerability in SMBv3 that could allow attackers to connect to remote systems while SMB is enabled.

https://www.zdnet.com/article/microsoft-patches-smbv3-wormable-bug-that-leaked-earlier-this-week/

The US Senate passed a 77-day extension of it surveillance powers, which allows them to carry out "roving" wiretaps and other actions, though leaders promise they will use that time to make changes to the policy.

https://thehill.com/policy/national-security/487910-senate-clears-77-day-extension-of-surveillance-powers

US Congress is working on a bill that would essentially allow lawmakers to bypass end-to-end encryption, though it has largely gone unnoticed during the COVID-19 outbreak.

https://www.theverge.com/interface/2020/3/12/21174815/earn-it-act-encryption-killer-lindsay-graham-match-group

A new bill in the US Senate would ban the Chinese-developed app TikTok from federal workers' mobile devices.

https://www.politico.com/news/2020/03/12/senate-bill-would-ban-tiktok-on-federal-employees-work-phones-126727

A new strain of Android malware known as "Cookiethief" is stealing users' Facebook credentials.

https://www.darkreading.com/new-android-malware-strain-sneaks-cookies-from-facebook/d/d-id/1337304

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-0796

Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-0787

Title: Microsoft Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-0688

Title: Microsoft Exchange Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2019-1019

Title: Microsoft Windows Security Feature Bypass Vulnerability

Vendor: Microsoft

Description: A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages. To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could access another machine using the original user privileges.

CVSS v3 Base Score: 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2019-18683

Title: Linux Kernel User After Free Vulnerability

Vendor: Multi-Vendor

Description: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2019-18683

Title: Linux Kernel User After Free Vulnerability

Vendor: Multi-Vendor

Description: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1938

Title: Apache Tomcat AJP File Inclusion Vulnerability ("Ghostcat")

Vendor: Apache

Description: Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-8794

Title: OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability

Vendor: OpenBSD

Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325

MD5: 5fb477098fc975fd1b314c8fb0e4ec06

VirusTotal: https://www.virustotal.com/gui/file/8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325/details

Typical Filename: upxarch.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in07.talos

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd

SHA 256: 1bbcd367a317af33aee72ae06f5f38067f27b27a0f321b54325cfb0f7431ebe7

MD5: 06fad4d91f0e79143d1270ad0b1fce3f

VirusTotal: https://www.virustotal.com/gui/file/1bbcd367a317af33aee72ae06f5f38067f27b27a0f321b54325cfb0f7431ebe7/details

Typical Filename: set-up.exe

Claimed Product: uTorrent

Detection Name: W32.1BBCD367A3-100.SBX.VIOC

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b

MD5: 42143a53581e0304b08f61c2ef8032d7

VirusTotal: https://www.virustotal.com/gui/file/64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b/details

Typical Filename: myfile.exe

Claimed Product: N/A

Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos