The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New botnet supports cryptocurrency mining for Monero

Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. Prometei employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool. Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.

References: https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html

Snort SIDs: 54610 - 54612

Title: Attackers exploit high-severity vulnerability in Cisco Adaptive Security Appliance

Description: Cisco warned users that attackers are actively exploiting a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability exists in the software due to improper input validation for URLs in HTTP requests. An adversary could use this exploit to carry out directory traversal attacks.

References: https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/

Snort SIDs: 54598 - 54601

Many Garmin GPS services went dark for several days last week after a ransomware attack.

https://arstechnica.com/information-technology/2020/07/garmans-four-day-service-meltdown-was-caused-by-ransomware/

While many users complained of the Garmin outage affecting things like workout tracking, the attack was much more serious in that it shut down Garmin's flight-tracking technology used by amateur and training pilots.

https://www.wired.com/story/garmin-outage-ransomware-attack-workouts-aviation/

Top Democrats in Congress called on President Donald Trump's administration to go public with the top security threats facing the 2020 general election.

https://www.marketwatch.com/story/trump-needs-to-go-public-with-threats-to-election-security-top-democrats-say-2020-07-24

The manager of the Cerberus Android malware is selling what they say is the banking trojan's source code for $100,000, all while still offering services at yearly and monthly rates, too.

https://www.bleepingcomputer.com/news/security/cerberus-android-malware-source-code-offered-for-sale-for-100-000/

An unknown hacker breached the infamous Emotet botnet, replacing its malware payloads with humorous GIFs, defanging what is the origin of many spam emails.

https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/

Attackers are still exploiting a major vulnerability in F5's BIG-IP controller, weeks after the company first disclosed the bug. The U.S. government urged all users to patch as soon as possible.

https://arstechnica.com/information-technology/2020/07/hackers-actively-exploit-high-severity-networking-vulnerabilities/

A leading American think tank warned that companies need to take greater measures to protect supply chains from cyber attacks, outlining 115 examples of attacks that took place over the past 10 years.

https://www.atlanticcouncil.org/programs/scowcroft-center-for-strategy-and-security/cyber-statecraft-initiative/breaking-trust/

The Fancy Bear APT hacking group carried out an espionage campaign from December 2018 until May 2020, looking to break into mail servers belonging to major U.S. government agencies and energy sector organizations.

https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/

Grocery delivery app Instacart blamed reused passwords for a recent spike in compromised accounts.

https://techcrunch.com/2020/07/24/instacart-data-theft-two-factor/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-3187

Title: Cisco ASA Software and FTD Software Web Services Path Traversal Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences.

CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

ID: CVE-2020-3452

Title: Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

ID: CVE-2020-8163

Title: Ruby On Rails Remote Code Execution Vulnerability

Vendor: Ruby On Rails

Description: The is a code injection vulnerability that would allow an attacker who controlled the "locals" argument of a "render" call to perform a remote code execution vulnerability.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-5902

Title: F5 BIG-IP Remote Code Execution Vulnerability

Vendor: F5

Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1350

Title: Microsoft Windows DNS Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-3140

Title: Cisco Prime License Manager Privilege Escalation Vulnerability

Vendor: Cisco

Description: A vulnerability in the web management interface of Cisco Prime License Manager (PLM) Software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to insufficient validation of user input on the web management interface. An attacker could exploit this vulnerability by submitting a malicious request to an affected system. An exploit could allow the attacker to gain administrative-level privileges on the system.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-2021

Title: Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Vendor: Palo Alto Networks

Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82

MD5: f0fdc17674950a4eaa4bbaafce5007f6

VirusTotal: https://www.virustotal.com/gui/file/e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:e66d6d1309.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201