Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: American intelligence agencies warn of uptick in Taidoor infections

Description: American intelligence agencies released a joint statement last week warning government agencies, contractors and think tanks of the Taidoor malware. Taidoor is believed to date back to 2008, having been spotted in the wild since 2012. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the Department of Defense's Cyber Command (CyberCom), and the FBI issued a joint statement outlining the new strain of malware, which masks its communication with a command and control (C2) server. The RAT carries out multiple espionage activities, including exfiltrating files.

References: https://www.cpomagazine.com/cyber-security/us-government-agencies-issue-alert-over-taidoor-malware-attack-in-chinese-cyber-espionage-campaigns/

Snort SIDs: 54801


Title: Linux malware used to infiltrate sensitive networks

Description: A new malware strain believed to originate from Russian state-sponsored actors is targeting networks that hold sensitive intelligence information. Known as Drovorub, CISA says the malware has gone undetected until recently, spying on networks and exfiltrating sensitive information. Drovorub is a fully functioning toolkit that includes the ability to infect Linux devices, a kernel to gain persistence and avoid detection, a server that reaches out to a C2 and an agent to act as an intermediary between infected machines and attacker-controlled servers. Linux users are urged to upgrade to version 3.7 or later.

References: https://arstechnica.com/information-technology/2020/08/nsa-and-fbi-warn-that-new-linux-malware-threatens-national-security/

Snort SIDs: 54793

Security News


The American Election Assistance Commission is asking one of the country's largest polling machine production companies to remove a claim from its products that implies they are EAC-certified.

https://www.politico.com/news/2020/08/13/election-voting-machine-misleading-claims-394891


The Tor browser warned users that it detected some exit relays monitoring outbound traffic in May and July, HTTP connections to certain cryptocurrency websites and preventing them from accessing the HTTPS versions of the sites.

https://blog.torproject.org/bad-exit-relays-may-june-2020


An alleged killswitch for the Emotet botnet has reportedly been circulating for six months, and the creator says administrators could use it to discover the exact moment Emotet infects their networks.

https://www.zdnet.com/article/for-six-months-security-researchers-have-secretly-distributed-an-emotet-vaccine-across-the-world/


Oracle has now entered the race to purchase TikTok's American operations as the popular social media app tries to avoid a ban from U.S. app stores.

https://www.cnbc.com/2020/08/17/oracle-is-in-talks-to-acquire-tiktoks-us-operations-source-says.html


The Canadian government had to shut down access to some online resources over the weekend, including some sites that provides information on COVID-19 relief, after a credential-stuffing attack.

https://www.cnn.com/2020/08/17/tech/cyberattack-canada-government-accounts/index.html


The Cybersecurity and Infrastructure Security Agency says it has seen a recent uptick in attacks delivering Microsoft Word documents containing the KONNI remote access trojan.

https://us-cert.cisa.gov/ncas/alerts/aa20-227a


An upcoming version of the Google Chrome web browser will warn users if there are any forms on HTTPS sites that are not secure.

https://9to5google.com/2020/08/17/chrome-insecure-forms-warning/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-1147

Title: Microsoft Sharepoint Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-1464

Title: Microsoft Windows Spoofing Vulnerability

Vendor: Microsoft

Description: A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded

CVSS v3 Base Score: 5.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)


ID: CVE-2020-9715

Title: Adobe Acrobat Reader User After Free Vulnerability

Vendor: Adobe

Description: A use-after-free vulnerability could allow remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. The specific flaw exists within the handling of ESObject data objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-3411

Title: Cisco DNA Center Information Disclosure Vulnerability

Vendor: Cisco

Description: A vulnerability in Cisco DNA Center software could allow an unauthenticated remote attacker access to sensitive information on an affected system. The vulnerability is due to improper handling of authentication tokens by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID: CVE-2020-3698

Title: Qualcomm Out-Of-Bounds Memory Corruption Vulnerability

Vendor: Qualcomm

Description: An Out of bound write happens in the component QoS DSCP when mapping due to improper input validation for data received from association response frame in Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music and Snapdragon Wearables (Chip Software).

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2019-16759

Title: vBulletin Remote Code Execution Vulnerability

Vendor: vBulletin

Description: vBulletin allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. The vulnerability was disclosed through an 18-line exploit that was published on Monday by an unidentified person. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-3433

Title: Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability

Vendor: Cisco

Description: A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8

MD5: 179c09b866c9063254083216b55693e6

VirusTotal: https://www.virustotal.com/gui/file/449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 9836cf123caa799eaf57a449ba6da0cdecf0445f58a8238fa0d98b19e93cdb22

MD5: 26b2996b69542d039c303e2fee6dac81

VirusTotal: https://www.virustotal.com/gui/file/9836cf123caa799eaf57a449ba6da0cdecf0445f58a8238fa0d98b19e93cdb22/details

Typical Filename: 226a60f6-4340-45e9-9b01-d95106369b83

Claimed Product: N/A

Detection Name: W32.9836CF123C-100.SBX.TG