Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft issues security update fixing vulnerabilities in Azure Sphere

Description: Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft's Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft's Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access. Talos discovered four vulnerabilities in Azure Sphere, two of which could lead to unsigned code execution, and the two others for privilege escalation.

References: https://blog.talosintelligence.com/2020/08/vuln-spotlight-microsoft-azure-aug-2020.html

Snort SIDs: 54645, 54646, 54729, 54730


Title: Cross-site scripting bug affects open-source CMS, used by many WordPress sites

Description: TinyMCE recently disclosed a vulnerability that could have allowed attackers to completely take over some websites. The open-source content management system and text editor fixed a high-severity cross-site scripting vulnerability. An attacker could input specific HTML code into a forum on an affected website to exploit this vulnerability, allowing them to take control of the websites. Security researchers suggest thousands of sites could be affected.

References: https://threatpost.com/high-severity-tinymce-cross-site-scripting-flaw-fixed/158306/

Snort SIDs: 54815, 54816

Security News


The U.S. Department of Homeland Security recently discovered multiple fake websites that could be used to spread fake news prior to the November election.

https://news.yahoo.com/exclusive-dhs-warns-of-fake-election-websites-potentially-tied-to-criminals-foreign-actors-221029900.html


Google patched a vulnerability in Gmail that could have allowed attackers to spoof emails from any sender, making them appear legitimate.

https://www.zdnet.com/article/google-fixes-major-gmail-bug-seven-hours-after-exploit-details-go-public/


Companies are trying to figure out how best to protect their data and important documents as there's no end in sight for the work from home trend created by the COVID-19 pandemic. (Please note: this story is behind a paywall.)

https://www.wsj.com/articles/as-remote-work-continues-companies-fret-over-how-to-monitor-employees-data-handling-11598002202


A hacktivist group claims to have uncovered information belonging to three Chinese companies that spy on social media users' profiles; Twitter quickly banned the group for violating its hacked documents policy.

https://www.vice.com/en_us/article/dyzewz/hackers-leak-alleged-internal-files-of-chinese-social-media-monitoring-firms


Credit reporting agency Experian recently exposed the data of 24 million South African users after attackers tricked company representatives into handing over the information.

https://www.cyberscoop.com/experian-south-africa-breach-sabric/


The U.S. District Court in San Francisco unveiled charges against Uber's former security chief for allegedly trying to cover up a massive data breach in 2016 that affected more than 50 million Uber drivers and passengers.

https://www.nytimes.com/2020/08/20/technology/joe-sullivan-uber-charged-hack.html


The FBI and U.S. CISA issued a joint warning alerting private companies and government agencies of a voice-phishing campaign aims to steal VPN credentials and use them to steal data from company databases.

https://krebsonsecurity.com/2020/08/fbi-cisa-echo-warnings-on-vishing-threat/


A former Apple engineer alleges that the company secretly worked with the United States government to build a special version of the iPod that could have collected users' data.

https://arstechnica.com/information-technology/2020/08/apple-helped-us-government-build-a-secret-ipod-former-engineer-says/


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-1147

Title: Microsoft Sharepoint Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-1530

Title: Microsoft Windows Remote Access Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when Windows Remote Access improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-1380

Title: Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-6519

Title: Google Chrome Arbitrary Code Execution Vulnerability

Vendor: Google

Description: Policy bypass in CSP in Google Chrome allowed a remote attacker to bypass content security policy via a crafted HTML page. It could allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code.

CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)


ID: CVE-2020-3506

Title: Cisco IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerabilities

Vendor: Cisco

Description: Multiple vulnerabilities in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to execute code remotely or cause a reload of an affected IP camera. These vulnerabilities are due to missing checks when the IP cameras process a Cisco Discovery Protocol packet. An attacker could exploit these vulnerabilities by sending a malicious Cisco Discovery Protocol packet to the targeted IP camera.

CVSS v3 Base Score: 8.8 (V:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-15858

Title: Cinterion Java Modules Vulnerability

Vendor: Cinterion

Description: This security vulnerability could potentially allow attackers with physical access to the device to compromise certain assets stored in the Cinterion modules' flash file system such as: Customer Java MIDlet byte code, TLS credentials or OTAP configuration data

CVSS v3 Base Score: 6.2 (AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L)


ID: CVE-2020-3398

Title: Cisco NX-OS Software Border Gateway Protocol Multicast VPN Session Denial of Service Vulnerability

Vendor: Cisco

Description: A vulnerability in the Border Gateway Protocol (BGP) Multicast VPN (MVPN) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a BGP session to repeatedly reset, causing a partial denial of service condition due to the BGP session being down. The vulnerability is due to incorrect parsing of a specific type of BGP MVPN update message. An attacker could exploit this vulnerability by sending this BGP MVPN update message to a targeted device. A successful exploit could allow the attacker to cause the BGP peer connections to reset, which could lead to BGP route instability and impact traffic.

CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36

MD5: adad179db8c67696ac24e9e11da2d075

VirusTotal: https://www.virustotal.com/gui/file/7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: W32.7F9446709F-100.SBX.VIOC


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos