The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft releases monthly security update

Description: Microsoft released its monthly security update this week, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 113 vulnerabilities. Eighteen of the flaws Microsoft disclosed are considered critical, while one is considered "moderate." The remainders are scored as being "important" updates. This month's security update covers security issues in a variety of Microsoft services and software, including SharePoint, the Windows font library and the Windows kernel.

Reference: https://blog.talosintelligence.com/2020/04/microsoft-patch-tuesday-april-2020.html

Snort SIDs: 53489 - 53492, 53619 - 53630, 53652 - 53655

Title: DrayTek routers, switches open to attack

Description: Tech company DrayTek recently patched two zero-day vulnerabilities in some of its routers and switches that could allow malicious actors to monitor traffic and install backdoors on affected networks. DrayTek worked with security researchers to discover the vulnerabilities and active exploitations in December, and patches were made available in late March. Users are encouraged to patch their devices as soon as possible or disable remote admin access.

Reference: https://www.scmagazine.com/home/security-news/vulnerabilities/zero-day-vulnerabilities-used-against-draytek-routers-and-switches/

Snort SIDs: 53591, 53592

Apple and Google announced plans to jointly develop a service that will alert users if they've been near someone who's been diagnosed with COVID-19.

https://techcrunch.com/2020/04/10/apple-and-google-are-launching-a-joint-covid-19-tracing-tool/

This "contact tracing" service has raised some concerns over privacy, however, and potential inequalities over individuals' access to wireless networks.

https://www.cnet.com/news/how-youll-get-apple-and-googles-contact-tracing-update-for-your-phone/

Cisco Talos researchers discovered many devices' fingerprint scanners can be tricked using 3-D printed models and resin copies of users' fingerprints.

https://blog.talosintelligence.com/2020/04/fingerprint-research.html

Foreign currency exchange company Travelex paid a $2.3 million ransomware demand in January. (Please note that this story is behind a paywall.)

https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800

Teleconferencing platform Zoom has taken steps to address some of the privacy and security concerns raised by experts.

https://www.fastcompany.com/90488717/can-you-trust-zoom

Microsoft says every country in the world has now seen at least one COVID-19-themed cyber attack, many of them utilizing the Emotet and Trickbot families.

https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-threat-intelligence-security-guidance-during-global-crisis/

Individuals working from home are looking toward upgrading to mesh Wi-Fi networks to improve their wireless internet speed while more employees work from home during the pandemic.

https://arstechnica.com/gadgets/2020/04/remote-work-lagging-if-you-cant-plug-it-in-upgrade-to-mesh/

Scammers are attempting to capitalize on the COVID-19 pandemic by offering phony services and health products through "gig economy" apps like Fiverr.

https://www.vice.com/en_us/article/v74ay9/fiverr-coronavirus-healers-mask-sellers

Online casino magnate SBTech is setting aside $30 million to respond to a cyber attack from last month as part of an acquisition agreement.

zdnet.com/article/gambling-company-to-set-aside-30-million-to-deal-with-cyber-attack-fallout/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-0760

Title: Microsoft Office Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVSS v3 Base Score: 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

ID: CVE-2020-1027

Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-1020

Title: Microsoft Adobe Font Manager Library Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-0687

Title: Microsoft Graphics Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2019-1381

Title: Microsoft Windows Information Disclosure Vulnerability

Vendor: Microsoft

Description: An information disclosure vulnerability exists when the Windows Servicing Stack allows access to unprivileged file locations. An attacker who successfully exploited the vulnerability could potentially access unauthorized files.

CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-0968

Title: Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-0939

Title: Microsoft Media Foundation Information Disclosure Vulnerability

Vendor: Microsoft

Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776

MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea

VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::in03.talos

SHA 256: 589d9977a5b0420d29acc0c1968a2ff48102ac3ddc0a1f3188be79d0a4949c82

MD5: bf1d79fad6471fcf50e38a9ea1f646a5

VirusTotal: https://www.virustotal.com/gui/file/589d9977a5b0420d29acc0c1968a2ff48102ac3ddc0a1f3188be79d0a4949c82/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: W32.Auto:589d99.in03.Talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 518a8844dae953d7f2510d38ba916f1c4ccc01cfba58f69290938b6ddde8b472

MD5: 9b47b9f19455bf56138ddb81c93b6c0c

VirusTotal: https://www.virustotal.com/gui/file/518a8844dae953d7f2510d38ba916f1c4ccc01cfba58f69290938b6ddde8b472/details

Typical Filename: updateprofile.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::tpd

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871

MD5: c2406fc0fce67ae79e625013325e2a68

VirusTotal: https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details

Typical Filename: SegurazoIC.exe

Claimed Product: Segurazo IC

Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg