Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft releases monthly security update

Description: A new remote access trojan known as "PoetRAT" uses coronavirus-themed documents and emails to lure victims in. This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps.

Reference: https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html

Snort SIDs: 53689 - 53691


Title: Cisco discloses 17 critical vulnerabilities in UCS software

Description: Cisco patched 17 critical vulnerabilities last week in its Unified Computing system. The software allows users to build private cloud systems and optimize data-center resources. If successful, and adversary could use these flaws to remotely access systems or cause denial-of-service conditions. The majority of the exploits lie in UCS' REST API.

Reference: https://www.networkworld.com/article/3537992/cisco-says-to-patch-critical-ucs-security-holes-now.html

Snort SIDs: 53667 - 53683

Security News


Hackers are reportedly selling two zero-day vulnerabilities in the Zoom video conferencing service; one of the exploits affects Windows, and the other affects OS X.

https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000


A new report from Google says the company saw more than 18 million spam emails per day related to the COVID-19 pandemic during the week of April 5 - 12.

https://www.theverge.com/2020/4/16/21223800/google-malware-phishing-covid-19-coronavirus-scams


U.S. officials warned American financial institutions that it believes North Korean state-sponsored actors could soon launch cyberattacks that "pose a significant threat to the integrity and stability of the international financial system."

https://www.voanews.com/east-asia-pacific/north-korea-hackers-pose-significant-threat-global-finances-us-warns


A new court ruling will prevent Twitter from reporting any of the surveillance requests it has received from the American government.

https://www.reuters.com/article/us-usa-twitter-lawsuit/u-s-judge-blocks-twitters-bid-to-reveal-government-surveillance-requests-idUSKBN2200CS


American government contractors have been under attack from Chinese state-sponsored actors, with counterintelligence officials saying in an internal report that it detected hundreds of unwanted inbound and outbound connections.

https://www.politico.com/news/2020/04/16/china-electric-panda-hackers-seek-us-targets-191220


Security researchers are pushing back against a new policy on the Pastebin website that prevents users from scanning new data.

https://www.cyberscoop.com/pastebin-research-cybercrime-osint-scraping/


Scammers claiming to sell codes to download the popular new online video game "Valorant" are actually infecting victims with a keylogger.

https://www.tomsguide.com/news/valorant-beta-keygen-malware

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-0760

Title: HAPaproxy hpack-tbl.c Out of Bounds Write Vulnerability

Vendor: Multi-Vendor

Description: A vulnerability exists in hpack-tbl.c present in the HPACK decoder in HAProxy, wherein a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. This vulnerability could be exploited to gain access to sensitive information also use this vulnerability to change contents or configuration on the system. Additionally, this vulnerability can also be used to cause a denial of service in the form of interruptions in resource availability.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-0796

Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-8835

Title: Linux Kernel Privilege Escalation Vulnerability

Vendor: Multi-Vendor

Description: It was discovered that the bpf verifier in the Linux kernel did not properly calculate register bounds for certain operations. A local attacker could use this to expose sensitive information (kernel memory) or gain administrative privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-1967

Title: OpenSSL Denial of service Vulnerability

Vendor: Multi-Vendor

Description: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a

result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

CVSS v3 Base Score: 5.0 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)


ID: CVE-2020-7066

Title: PHP Information Disclosure Vulnerability

Vendor: PHP

Description: In PHP, while using get_headers() with user-supplied URL, if the URL contains zero () character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. A remote attacker can abuse this behavior to bypass implemented security restrictions within the application.

CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)


ID: CVE-2020-2555

Title: Oracle Coherence Remote Code Execution Vulnerability

Vendor: Oracle

Description: A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-3952

Title: VMware vCenter vmdir Information Disclosure Vulnerability

Vendor: VMware

Description: Under certain conditions vmdir does not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776

MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea

VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::in03.talos


SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4

MD5: c6dc7326766f3769575caa3ccab71f63

VirusTotal: https://www.virustotal.com/gui/file/fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos


SHA 256: 9cc2b845bdee4774e45143e00dc82c673bf940c764b687c976f8d27d9f48b704

MD5: 4202e589899ec68bc2d4fa6fb1218e2f

VirusTotal: https://www.virustotal.com/gui/file/9cc2b845bdee4774e45143e00dc82c673bf940c764b687c976f8d27d9f48b704/details

Typical Filename: app171.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::sbmt.talos


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201