Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: IndigoDrop spreads via military-themed lures to deliver Cobalt Strike

Description: Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. These maldocs use malicious macros to deliver a multistage and highly modular infection. This campaign appears to target military and government organizations in South Asia. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

Reference: https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html

Snort SIDs: 54373 - 54376


Title: Qbot reemerges, goes after American banks

Description: The ever-changing Qbot information-stealing malware is back again and going after U.S.-based banks. Researchers say the malware family has a six-hour cycle that is uses to adapt and avoid detection. Attackers are spreading the malware via phishing emails, publicly reported exploits or malicious file shares. Qbot waits quietly on the victim machine until they visit a bank's website, and then it activates to steal the users' login credentials.

Reference: https://threatpost.com/qbot-trojan-us-banking-customers/156624/

Snort SIDs: 54384 - 54387

Security News


The Oracle software used to track users' web usage and serve them targeted ads left a server open on the internet, allowing anyone to see the software's insights.

https://techcrunch.com/2020/06/19/oracle-bluekai-web-tracking/


Threat actors are increasingly relying on CAPTCHAs to avoid automated detection.

https://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/


The U.S. Internal Revenue Service used cell phone location data to try and track down criminal suspects. (Please note that this story is behind a paywall.)

https://www.wsj.com/articles/irs-used-cellphone-location-data-to-try-to-find-suspects-11592587815


The FBI used Instagram posts, LinkedIn, and an Etsy review to identify a person suspected of setting two police cars on fire during protests in Philadelphia on May 30.

https://www.theverge.com/2020/6/18/21295301/philadelphia-protester-arson-identified-social-media-etsy-instagram-linkedin


An IBM survey found that 52 percent of Americans who are working from home during the COVID-19 pandemic are using their personal laptops for work, opening the door for many security exploits.

https://newsroom.ibm.com/2020-06-22-IBM-Security-Study-Finds-Employees-New-to-Working-from-Home-Pose-Security-Risk


More than 1,000 Google employees wrote a letter to management asking that the company no longer sell technology to police departments.

https://www.vice.com/en_us/article/889x3a/1600-google-employees-demand-no-tech-for-police


Hackers have started enabling multi-factor authentication after compromising accounts to make it more difficult for users to eventually recover their credentials.

https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you/


A new collection of records called "BlueLeaks" claims to contain thousands of documents stolen from US from law enforcement agency fusion centers.

https://www.wired.com/story/blueleaks-anonymous-law-enforcement-hack/


Foreign policy experts at the United States Studies Centre at the University of Sydney are urging Australia and the US to "name and shame" state-sponsored threat actors attempting to steal COVID-19-related research.

https://www.smh.com.au/politics/federal/off-limits-australia-us-urged-to-name-and-shame-cyber-attackers-targeting-health-research-20200622-p554xo.html


Microsoft is acquiring CyberX, a start-up focused on IoT and industrial control system security.

https://venturebeat.com/2020/06/22/microsoft-acquires-cybersecurity-startup-cyberx/


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-0022

Title: Google Android Bluetooth Remote Denial Of Service Vulnerability

Vendor: Google

Description: A remote denial of service vulnerability exists in Google Android. In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed.

CVSS v3 Base Score: 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-10189

Title: WPA and WPA2 Disassociation Vulnerability ("Kr00k")

Vendor: Multi-Vendor

Description: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.

CVSS v3 Base Score: 9.8 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)


ID: CVE-2020-1170

Title: Microsoft Windows Defender Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-1181

Title: Microsoft SharePoint Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process. To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-12388

Title: Firefox Default Content Process DACL Sandbox Escape Vulnerability

Vendor: Mozilla

Description: The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Firefox ESR. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged-on user.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-3347

Title: Cisco Webex Meetings Desktop App for Windows Shared Memory Information Disclosure Vulnerability

Vendor: Cisco

Description: A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. The vulnerability is due to unsafe usage of shared memory that is used by the affected software. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens that could aid the attacker in future attacks.

CVSS v3 Base Score: 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N


ID: CVE-2020-1054

Title: Microsoft Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e

MD5: 60ba2a4b8ea5982a3a671a9e84f9268c

VirusTotal: https://www.virustotal.com/gui/file/8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e/details

Typical Filename: Diagnostics.txt

Claimed Product: N/A

Detection Name: Win.Dropper.Shadowbrokers::222044.in02