Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Mozilla releases fixes for two use-after-free vulnerabilities in Firefox

Description: Mozilla released patches for two use-after-free vulnerabilities in its Firefox web browser. The company said it saw attackers actively exploiting bugs in the wild, which caused them to release the emergency updates. In both cases, a race condition in the browser can cause a use-after-free condition, though Mozilla has not provided information on how, exactly, these vulnerabilities were used in attacks.

Reference: https://duo.com/decipher/mozilla-fixes-two-firefox-flaws-under-active-attack

Snort SIDs: 53580, 53581


Title: Critical CODESYS vulnerability could allow attacker to crash server, execute remote code

Description: A critical bug in 3S' CODESYS automation software could allow an attacker to crash an affected server or execute remote code on the web server. 3S released a patch for the vulnerability, identified as CVE-2020-10245, which received a severity score of 10 out of 10. The bug is a heap-based buffer overflow in the software that could cause a denial of service.

Reference: https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/

Snort SIDs: 53557, 53558

Security News


Marriott disclosed that hackers used login credential belonging to two employees of a franchise company to access customer data, compromising the information of more than 5 million customers.

https://www.cnet.com/news/marriott-discloses-new-data-breach-impacting-5-point-2-million-guests/


Researchers discovered potential security flaws in video conference platform Zoom's encryption method including sending some encryption keys through servers in China.

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/


After a wave of negative headlines concerning Zoom and its security features, the Taiwanese government informed employees they should not be using the conferencing app while they work from home during the COVID-19 crisis.

https://www.bloomberg.com/news/articles/2020-04-07/taiwan-bans-government-use-of-zoom-over-cybersecurity-concerns


A critical vulnerability in a popular WordPress plugin could allow attackers to completely lock admins out of their sites, the latest in a string of bugs for plugins for the popular content management system.

https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/


A new COVID-19-themed malware family can totally wipe victim's computers and in some cases, rewrite MBR sectors.

https://www.zdnet.com/article/theres-now-covid-19-malware-that-will-wipe-your-pc-and-rewrite-your-mbr/


Microsoft purchased controversial domain corp[.]com with the goal of keeping it out of bad actors' hands.

https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/


While the vast majority of individuals across the globe are staying home during the COVID-19 crisis, their internet usage has changed, including spending an increasing amount of time on streaming sites while seeing a reduction in mobile device usage.

https://www.nytimes.com/interactive/2020/04/07/technology/coronavirus-internet-use.html


With more college classes moving completely online for the remainder of the semester, some schools have started using online proctor services, which students and professors have said is an invasion of privacy.

https://www.washingtonpost.com/technology/2020/04/01/online-proctoring-college-exams-coronavirus/


NASA says its seen an "exponential" increase in attempted cyber attacks as more of its employees began working remotely due to COVID-19 pandemic.

https://arstechnica.com/information-technology/2020/04/nasa-sees-an-exponential-jump-in-malware-attacks-as-personnel-work-from-home/


A cyber attack on Italy's Social Security website took down its services, temporarily preventing individuals from receiving government stimulus checks connected to a COVID-19 relief package.

https://www.forbes.com/sites/daveywinder/2020/04/02/covid-19-payouts-disrupted-as-heartless-hackers-attack-italian-crisis-benefits-site/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-0674

Title: Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-0796

Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-0041

Title: Google Android Privilege Escalation Vulnerability

Vendor: Android

Description: In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-10204

Title: Sonatype Nexus Repository Remote Code Execution Vulnerability

Vendor: Sonatype

Description: A Remote Code Execution vulnerability exists in Nexus Repository Manager. The vulnerability allows for an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-3947

Title: VMWare Workstation vmnetdhcp Denial of Service Vulnerability

Vendor: VMWare

Description: VMware Workstation contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial of service condition of the vmnetdhcp service running on the host machine.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-3919

Title: Apple MacOS Privilege Escalation Vulnerability

Vendor: Apple

Description: A memory initialization issue was addressed with improved memory handling. A malicious application may be able to execute arbitrary code with kernel privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-7982

Title: OpenWrt's opkg Man In The Middle Attack Vulnerability

Vendor: OpenWrt

Description: A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).

CVSS v3 Base Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-8515

Title: DrayTek pre-auth Remote Code Execution Vulnerability

Vendor: DrayTek

Description: DrayTek devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776

MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea

VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::in03.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: f2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos