The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: SAP systems vulnerability could allow adversaries to create new user accounts, execute code

Description: The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a warning last week urging SAP admins to update their systems as soon as possible to fix a critical vulnerability. CVE-2020-6287 affects the SAP NetWeaver Application Server's Java component LM Configuration Wizard. An attacker could exploit this bug to obtain unrestricted access to SAP systems, allowing them to create their own user accounts and executing arbitrary system commands.

References: https://www.infosecurity-magazine.com/news/cisa-patch-critical-sap-recon-bug/

Snort SIDs: 54571 - 54574

Title: Cisco discloses 33 vulnerabilities in small business routers, firewalls

Description: Cisco disclosed 33 vulnerabilities in their RV series of routers and firewalls earlier this month. The products mainly service small business environments. One of the bugs, CVE-2020-3330, could allow an adversary to completely take over a device if the user hadn't reset the default admin credentials that came pre-installed on the device. There is also a critical privilege escalation vulnerability in Prime License Manager.

References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv110w-static-cred-BMTWBWTy

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-rce-AQKREqp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-code-exec-wH3BNFb

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-prime-priv-esc-HyhwdzBA

Snort SIDs: 54538 - 54567

More information is emerging about the massive Twitter hack last week that led to several high-profile accounts being taken over and used in a Bitcoin scam. A new report from the New York Times found that the group behind the hack does not have ties to state-sponsored actors.

https://www.nytimes.com/2020/07/17/technology/twitter-hackers-interview.html

A full breakdown of the intrusion from Twitter found that the hackers targeted 130 accounts, took control of 45 of those accounts, and downloaded information from eight of the compromised accounts.

https://www.reuters.com/article/us-twitter-cyber/twitter-says-attackers-downloaded-data-from-up-to-eight-non-verified-accounts-idUSKBN24J068

The Twitter incident also shows what attackers can do when humans come into the equation, proving once again that employees are sometimes an organization's biggest security weakness.

https://slate.com/technology/2020/07/twitter-hack-human-weakness.html

Israel says it fended off a state-sponsored attack on its water infrastructure for the second time this year.

https://www.timesofisrael.com/cyber-attacks-again-hit-israels-water-system-shutting-agricultural-pumps/

A new report from the British government urged parliament and the prime minister to take immediate action against Russia for its inference in national elections, saying the government "badly underestimated" the threat Russian actors posed.

https://www.bbc.com/news/uk-politics-53484344

As China and the U.S. continue to trade barbs over TikTok and other Chinese-created apps, security experts say TikTok's policies align with many other popular, American social media apps.

https://www.wired.com/story/tiktok-ban-us-national-security-risk/

American prosecutors charged two Chinese nationals for an alleged large-scale cyber campaign aimed at stealing information related to COVID-19 research.

https://www.cnn.com/2020/07/21/politics/china-hackers-coronavirus/index.html

Diebold Nixdorf says that hackers have managed to obtain proprietary software and are using it in ATM jackpotting attacks.

https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/

A new Android trojan appears to be a variant of LokiBot and is going after popular apps like Tinder, Netflix and Instagram to steal users' information.

https://www.techradar.com/news/new-android-malware-targets-over-300-different-apps-with-a-focus-on-dating-and-social-media

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-8605

Title: Trend Micro Web Security Virtual Appliance Remote Code Execution Vulnerability

Vendor: Trend Micro

Description: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance may allow remote attackers to execute arbitrary code on affected installations. An attacker can leverage this vulnerability to disclose information in the context of the IWSS user. An authenticated remote attacker could exploit a command injection vulnerability in the product, leading to remote code execution vulnerability.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1350

Title: Microsoft Windows DNS Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-5902

Title: F5 BIG-IP Remote Code Execution Vulnerability

Vendor: F5

Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-6287

Title: SAP NetWeaver Application Server JAVA Multiple Vulnerabilities

Vendor: SAP

Description: SAP NetWeaver AS JAVA (LM Configuration Wizard) does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-15363

Title: WordPress Theme NexosReal Estate 'search_order' SQL Injection Vulnerability

Vendor: Nexos

Description: NexosReal Estate Theme is exposed to remote SQL injection vulnerability that allows side-map/?search_order= SQL Injection.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-13866

Title: WinGate Privilege Escalation Vulnerability

Vendor: qbik

Description: WinGate has insecure permissions for the installation directory, which allows local users to gain privileges by replacing an executable file with a Trojan horse. The WinGate directory hands full control to authenticated users, who can then run arbitrary code as SYSTEM after a WinGate restart or system reboot.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-2021

Title: Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Vendor: Palo Alto Networks

Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-3952

Title: VMware vCenter vmdir Information Disclosure Vulnerability

Vendor: VMware

Description: Under certain conditions vmdir does not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8

MD5: 179c09b866c9063254083216b55693e6

VirusTotal: https://www.virustotal.com/gui/file/449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201